iPXE
Macros | Functions | Variables
x509.c File Reference

X.509 certificates. More...

#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <errno.h>
#include <assert.h>
#include <ipxe/list.h>
#include <ipxe/base16.h>
#include <ipxe/asn1.h>
#include <ipxe/crypto.h>
#include <ipxe/md5.h>
#include <ipxe/sha1.h>
#include <ipxe/sha256.h>
#include <ipxe/rsa.h>
#include <ipxe/rootcert.h>
#include <ipxe/certstore.h>
#include <ipxe/privkey.h>
#include <ipxe/socket.h>
#include <ipxe/in.h>
#include <ipxe/image.h>
#include <ipxe/ocsp.h>
#include <ipxe/x509.h>
#include <config/crypto.h>

Go to the source code of this file.

Macros

#define ENOTSUP_ALGORITHM    __einfo_error ( EINFO_ENOTSUP_ALGORITHM )
#define EINFO_ENOTSUP_ALGORITHM    __einfo_uniqify ( EINFO_ENOTSUP, 0x01, "Unsupported algorithm" )
#define ENOTSUP_EXTENSION    __einfo_error ( EINFO_ENOTSUP_EXTENSION )
#define EINFO_ENOTSUP_EXTENSION    __einfo_uniqify ( EINFO_ENOTSUP, 0x02, "Unsupported extension" )
#define EINVAL_ALGORITHM    __einfo_error ( EINFO_EINVAL_ALGORITHM )
#define EINFO_EINVAL_ALGORITHM    __einfo_uniqify ( EINFO_EINVAL, 0x01, "Invalid algorithm type" )
#define EINVAL_ALGORITHM_MISMATCH    __einfo_error ( EINFO_EINVAL_ALGORITHM_MISMATCH )
#define EINFO_EINVAL_ALGORITHM_MISMATCH    __einfo_uniqify ( EINFO_EINVAL, 0x04, "Signature algorithm mismatch" )
#define EINVAL_PATH_LEN    __einfo_error ( EINFO_EINVAL_PATH_LEN )
#define EINFO_EINVAL_PATH_LEN    __einfo_uniqify ( EINFO_EINVAL, 0x05, "Invalid pathLenConstraint" )
#define EINVAL_VERSION    __einfo_error ( EINFO_EINVAL_VERSION )
#define EINFO_EINVAL_VERSION    __einfo_uniqify ( EINFO_EINVAL, 0x06, "Invalid version" )
#define EACCES_WRONG_ISSUER    __einfo_error ( EINFO_EACCES_WRONG_ISSUER )
#define EINFO_EACCES_WRONG_ISSUER    __einfo_uniqify ( EINFO_EACCES, 0x01, "Wrong issuer" )
#define EACCES_NOT_CA    __einfo_error ( EINFO_EACCES_NOT_CA )
#define EINFO_EACCES_NOT_CA    __einfo_uniqify ( EINFO_EACCES, 0x02, "Not a CA certificate" )
#define EACCES_KEY_USAGE    __einfo_error ( EINFO_EACCES_KEY_USAGE )
#define EINFO_EACCES_KEY_USAGE    __einfo_uniqify ( EINFO_EACCES, 0x03, "Incorrect key usage" )
#define EACCES_EXPIRED    __einfo_error ( EINFO_EACCES_EXPIRED )
#define EINFO_EACCES_EXPIRED    __einfo_uniqify ( EINFO_EACCES, 0x04, "Expired (or not yet valid)" )
#define EACCES_PATH_LEN    __einfo_error ( EINFO_EACCES_PATH_LEN )
#define EINFO_EACCES_PATH_LEN    __einfo_uniqify ( EINFO_EACCES, 0x05, "Maximum path length exceeded" )
#define EACCES_UNTRUSTED    __einfo_error ( EINFO_EACCES_UNTRUSTED )
#define EINFO_EACCES_UNTRUSTED    __einfo_uniqify ( EINFO_EACCES, 0x06, "Untrusted root certificate" )
#define EACCES_OUT_OF_ORDER    __einfo_error ( EINFO_EACCES_OUT_OF_ORDER )
#define EINFO_EACCES_OUT_OF_ORDER    __einfo_uniqify ( EINFO_EACCES, 0x07, "Validation out of order" )
#define EACCES_EMPTY    __einfo_error ( EINFO_EACCES_EMPTY )
#define EINFO_EACCES_EMPTY    __einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" )
#define EACCES_OCSP_REQUIRED    __einfo_error ( EINFO_EACCES_OCSP_REQUIRED )
#define EINFO_EACCES_OCSP_REQUIRED    __einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" )
#define EACCES_WRONG_NAME    __einfo_error ( EINFO_EACCES_WRONG_NAME )
#define EINFO_EACCES_WRONG_NAME    __einfo_uniqify ( EINFO_EACCES, 0x0a, "Incorrect certificate name" )
#define EACCES_USELESS    __einfo_error ( EINFO_EACCES_USELESS )
#define EINFO_EACCES_USELESS    __einfo_uniqify ( EINFO_EACCES, 0x0b, "No usable certificates" )

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
 FILE_SECBOOT (PERMITTED)
static void x509_free (struct refcnt *refcnt)
 Free X.509 certificate.
const char * x509_name (struct x509_certificate *cert)
 Get X.509 certificate display name.
static int x509_parse_version (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate version.
static int x509_parse_serial (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate serial number.
static int x509_parse_issuer (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate issuer.
static int x509_parse_validity (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate validity.
static int x509_parse_common_name (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate common name.
static int x509_parse_subject (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate subject.
static int x509_parse_public_key (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate public key information.
static int x509_parse_basic_constraints (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate basic constraints.
static int x509_parse_key_usage (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate key usage.
static int x509_parse_key_purpose (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate key purpose identifier.
static int x509_parse_extended_key_usage (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate extended key usage.
static int x509_parse_ocsp (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate OCSP access method.
static struct x509_access_methodx509_find_access_method (const struct asn1_cursor *oid)
 Identify X.509 access method by OID.
static int x509_parse_access_description (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate access description.
static int x509_parse_authority_info_access (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate authority information access.
static int x509_parse_subject_alt_name (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate subject alternative name.
static struct x509_extensionx509_find_extension (const struct asn1_cursor *oid)
 Identify X.509 extension by OID.
static int x509_parse_extension (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate extension.
static int x509_parse_extensions (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate extensions, if present.
static int x509_parse_tbscertificate (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate tbsCertificate.
int x509_parse (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate from ASN.1 data.
int x509_certificate (const void *data, size_t len, struct x509_certificate **cert)
 Create X.509 certificate.
static int x509_check_signature (struct x509_certificate *cert, struct x509_public_key *public_key)
 Check X.509 certificate signature.
int x509_check_issuer (struct x509_certificate *cert, struct x509_certificate *issuer)
 Check X.509 certificate against issuer certificate.
void x509_fingerprint (struct x509_certificate *cert, struct digest_algorithm *digest, void *fingerprint)
 Calculate X.509 certificate fingerprint.
int x509_check_root (struct x509_certificate *cert, struct x509_root *root)
 Check X.509 root certificate.
int x509_check_time (struct x509_certificate *cert, time_t time)
 Check X.509 certificate validity period.
int x509_is_valid (struct x509_certificate *cert, struct x509_root *root)
 Check if X.509 certificate is valid.
void x509_set_valid (struct x509_certificate *cert, struct x509_certificate *issuer, struct x509_root *root)
 Set X.509 certificate as validated.
int x509_validate (struct x509_certificate *cert, struct x509_certificate *issuer, time_t time, struct x509_root *root)
 Validate X.509 certificate.
static int x509_check_dnsname (struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
 Check X.509 certificate alternative dNSName.
static int x509_check_ipaddress (struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
 Check X.509 certificate alternative iPAddress.
static int x509_check_alt_name (struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
 Check X.509 certificate alternative name.
int x509_check_name (struct x509_certificate *cert, const char *name)
 Check X.509 certificate name.
static void x509_free_chain (struct refcnt *refcnt)
 Free X.509 certificate chain.
struct x509_chainx509_alloc_chain (void)
 Allocate X.509 certificate chain.
int x509_append (struct x509_chain *chain, struct x509_certificate *cert)
 Append X.509 certificate to X.509 certificate chain.
int x509_append_raw (struct x509_chain *chain, const void *data, size_t len)
 Append X.509 certificate to X.509 certificate chain.
void x509_truncate (struct x509_chain *chain, struct x509_link *link)
 Truncate X.509 certificate chain.
static struct x509_certificatex509_found (struct x509_chain *store, struct x509_certificate *cert)
 Mark X.509 certificate as found.
struct x509_certificatex509_find (struct x509_chain *store, const struct asn1_cursor *raw)
 Identify X.509 certificate by raw certificate data.
struct x509_certificatex509_find_subject (struct x509_chain *store, const struct asn1_cursor *subject)
 Identify X.509 certificate by subject.
struct x509_certificatex509_find_issuer_serial (struct x509_chain *store, const struct asn1_cursor *issuer, const struct asn1_cursor *serial)
 Identify X.509 certificate by issuer and serial number.
struct x509_certificatex509_find_key (struct x509_chain *store, struct private_key *key)
 Identify X.509 certificate by corresponding public key.
int x509_auto_append (struct x509_chain *chain, struct x509_chain *store)
 Append X.509 certificates to X.509 certificate chain.
int x509_validate_chain (struct x509_chain *chain, time_t time, struct x509_chain *store, struct x509_root *root)
 Validate X.509 certificate chain.
int image_x509 (struct image *image, size_t offset, struct x509_certificate **cert)
 Extract X.509 certificate object from image.
 REQUIRING_SYMBOL (x509_validate)
 REQUIRE_OBJECT (certstore)
 REQUIRE_OBJECT (config_crypto)

Variables

static uint8_t oid_common_name [] = { ASN1_OID_COMMON_NAME }
 "commonName" object identifier
static struct asn1_cursor oid_common_name_cursor
 "commonName" object identifier cursor
static uint8_t oid_code_signing [] = { ASN1_OID_CODESIGNING }
 "id-kp-codeSigning" object identifier
static uint8_t oid_ocsp_signing [] = { ASN1_OID_OCSPSIGNING }
 "id-kp-OCSPSigning" object identifier
static struct x509_key_purpose x509_key_purposes []
 Supported key purposes.
static uint8_t oid_ad_ocsp [] = { ASN1_OID_OCSP }
 "id-ad-ocsp" object identifier
static struct x509_access_method x509_access_methods []
 Supported access methods.
static uint8_t oid_ce_basic_constraints []
 "id-ce-basicConstraints" object identifier
static uint8_t oid_ce_key_usage []
 "id-ce-keyUsage" object identifier
static uint8_t oid_ce_ext_key_usage []
 "id-ce-extKeyUsage" object identifier
static uint8_t oid_pe_authority_info_access []
 "id-pe-authorityInfoAccess" object identifier
static uint8_t oid_ce_subject_alt_name []
 "id-ce-subjectAltName" object identifier
static struct x509_extension x509_extensions []
 Supported certificate extensions.

Detailed Description

X.509 certificates.

The structure of X.509v3 certificates is documented in RFC 5280 section 4.1.

Definition in file x509.c.

Macro Definition Documentation

◆ ENOTSUP_ALGORITHM

#define ENOTSUP_ALGORITHM    __einfo_error ( EINFO_ENOTSUP_ALGORITHM )

Definition at line 59 of file x509.c.

59#define ENOTSUP_ALGORITHM \
60 __einfo_error ( EINFO_ENOTSUP_ALGORITHM )

◆ EINFO_ENOTSUP_ALGORITHM

#define EINFO_ENOTSUP_ALGORITHM    __einfo_uniqify ( EINFO_ENOTSUP, 0x01, "Unsupported algorithm" )

Definition at line 61 of file x509.c.

61#define EINFO_ENOTSUP_ALGORITHM \
62 __einfo_uniqify ( EINFO_ENOTSUP, 0x01, "Unsupported algorithm" )

◆ ENOTSUP_EXTENSION

#define ENOTSUP_EXTENSION    __einfo_error ( EINFO_ENOTSUP_EXTENSION )

Definition at line 63 of file x509.c.

63#define ENOTSUP_EXTENSION \
64 __einfo_error ( EINFO_ENOTSUP_EXTENSION )

Referenced by x509_parse_extension().

◆ EINFO_ENOTSUP_EXTENSION

#define EINFO_ENOTSUP_EXTENSION    __einfo_uniqify ( EINFO_ENOTSUP, 0x02, "Unsupported extension" )

Definition at line 65 of file x509.c.

65#define EINFO_ENOTSUP_EXTENSION \
66 __einfo_uniqify ( EINFO_ENOTSUP, 0x02, "Unsupported extension" )

◆ EINVAL_ALGORITHM

#define EINVAL_ALGORITHM    __einfo_error ( EINFO_EINVAL_ALGORITHM )

Definition at line 67 of file x509.c.

67#define EINVAL_ALGORITHM \
68 __einfo_error ( EINFO_EINVAL_ALGORITHM )

◆ EINFO_EINVAL_ALGORITHM

#define EINFO_EINVAL_ALGORITHM    __einfo_uniqify ( EINFO_EINVAL, 0x01, "Invalid algorithm type" )

Definition at line 69 of file x509.c.

69#define EINFO_EINVAL_ALGORITHM \
70 __einfo_uniqify ( EINFO_EINVAL, 0x01, "Invalid algorithm type" )

◆ EINVAL_ALGORITHM_MISMATCH

#define EINVAL_ALGORITHM_MISMATCH    __einfo_error ( EINFO_EINVAL_ALGORITHM_MISMATCH )

Definition at line 71 of file x509.c.

71#define EINVAL_ALGORITHM_MISMATCH \
72 __einfo_error ( EINFO_EINVAL_ALGORITHM_MISMATCH )

Referenced by x509_check_signature(), and x509_parse().

◆ EINFO_EINVAL_ALGORITHM_MISMATCH

#define EINFO_EINVAL_ALGORITHM_MISMATCH    __einfo_uniqify ( EINFO_EINVAL, 0x04, "Signature algorithm mismatch" )

Definition at line 73 of file x509.c.

73#define EINFO_EINVAL_ALGORITHM_MISMATCH \
74 __einfo_uniqify ( EINFO_EINVAL, 0x04, "Signature algorithm mismatch" )

◆ EINVAL_PATH_LEN

#define EINVAL_PATH_LEN    __einfo_error ( EINFO_EINVAL_PATH_LEN )

Definition at line 75 of file x509.c.

75#define EINVAL_PATH_LEN \
76 __einfo_error ( EINFO_EINVAL_PATH_LEN )

◆ EINFO_EINVAL_PATH_LEN

#define EINFO_EINVAL_PATH_LEN    __einfo_uniqify ( EINFO_EINVAL, 0x05, "Invalid pathLenConstraint" )

Definition at line 77 of file x509.c.

77#define EINFO_EINVAL_PATH_LEN \
78 __einfo_uniqify ( EINFO_EINVAL, 0x05, "Invalid pathLenConstraint" )

◆ EINVAL_VERSION

#define EINVAL_VERSION    __einfo_error ( EINFO_EINVAL_VERSION )

Definition at line 79 of file x509.c.

79#define EINVAL_VERSION \
80 __einfo_error ( EINFO_EINVAL_VERSION )

Referenced by x509_parse_version().

◆ EINFO_EINVAL_VERSION

#define EINFO_EINVAL_VERSION    __einfo_uniqify ( EINFO_EINVAL, 0x06, "Invalid version" )

Definition at line 81 of file x509.c.

81#define EINFO_EINVAL_VERSION \
82 __einfo_uniqify ( EINFO_EINVAL, 0x06, "Invalid version" )

◆ EACCES_WRONG_ISSUER

#define EACCES_WRONG_ISSUER    __einfo_error ( EINFO_EACCES_WRONG_ISSUER )

Definition at line 83 of file x509.c.

83#define EACCES_WRONG_ISSUER \
84 __einfo_error ( EINFO_EACCES_WRONG_ISSUER )

Referenced by x509_check_issuer().

◆ EINFO_EACCES_WRONG_ISSUER

#define EINFO_EACCES_WRONG_ISSUER    __einfo_uniqify ( EINFO_EACCES, 0x01, "Wrong issuer" )

Definition at line 85 of file x509.c.

85#define EINFO_EACCES_WRONG_ISSUER \
86 __einfo_uniqify ( EINFO_EACCES, 0x01, "Wrong issuer" )

◆ EACCES_NOT_CA

#define EACCES_NOT_CA    __einfo_error ( EINFO_EACCES_NOT_CA )

Definition at line 87 of file x509.c.

87#define EACCES_NOT_CA \
88 __einfo_error ( EINFO_EACCES_NOT_CA )

Referenced by x509_check_issuer().

◆ EINFO_EACCES_NOT_CA

#define EINFO_EACCES_NOT_CA    __einfo_uniqify ( EINFO_EACCES, 0x02, "Not a CA certificate" )

Definition at line 89 of file x509.c.

89#define EINFO_EACCES_NOT_CA \
90 __einfo_uniqify ( EINFO_EACCES, 0x02, "Not a CA certificate" )

◆ EACCES_KEY_USAGE

#define EACCES_KEY_USAGE    __einfo_error ( EINFO_EACCES_KEY_USAGE )

Definition at line 91 of file x509.c.

91#define EACCES_KEY_USAGE \
92 __einfo_error ( EINFO_EACCES_KEY_USAGE )

Referenced by x509_check_issuer().

◆ EINFO_EACCES_KEY_USAGE

#define EINFO_EACCES_KEY_USAGE    __einfo_uniqify ( EINFO_EACCES, 0x03, "Incorrect key usage" )

Definition at line 93 of file x509.c.

93#define EINFO_EACCES_KEY_USAGE \
94 __einfo_uniqify ( EINFO_EACCES, 0x03, "Incorrect key usage" )

◆ EACCES_EXPIRED

#define EACCES_EXPIRED    __einfo_error ( EINFO_EACCES_EXPIRED )

Definition at line 95 of file x509.c.

95#define EACCES_EXPIRED \
96 __einfo_error ( EINFO_EACCES_EXPIRED )

Referenced by x509_check_time().

◆ EINFO_EACCES_EXPIRED

#define EINFO_EACCES_EXPIRED    __einfo_uniqify ( EINFO_EACCES, 0x04, "Expired (or not yet valid)" )

Definition at line 97 of file x509.c.

97#define EINFO_EACCES_EXPIRED \
98 __einfo_uniqify ( EINFO_EACCES, 0x04, "Expired (or not yet valid)" )

◆ EACCES_PATH_LEN

#define EACCES_PATH_LEN    __einfo_error ( EINFO_EACCES_PATH_LEN )

Definition at line 99 of file x509.c.

99#define EACCES_PATH_LEN \
100 __einfo_error ( EINFO_EACCES_PATH_LEN )

Referenced by x509_validate().

◆ EINFO_EACCES_PATH_LEN

#define EINFO_EACCES_PATH_LEN    __einfo_uniqify ( EINFO_EACCES, 0x05, "Maximum path length exceeded" )

Definition at line 101 of file x509.c.

101#define EINFO_EACCES_PATH_LEN \
102 __einfo_uniqify ( EINFO_EACCES, 0x05, "Maximum path length exceeded" )

◆ EACCES_UNTRUSTED

#define EACCES_UNTRUSTED    __einfo_error ( EINFO_EACCES_UNTRUSTED )

Definition at line 103 of file x509.c.

103#define EACCES_UNTRUSTED \
104 __einfo_error ( EINFO_EACCES_UNTRUSTED )

◆ EINFO_EACCES_UNTRUSTED

#define EINFO_EACCES_UNTRUSTED    __einfo_uniqify ( EINFO_EACCES, 0x06, "Untrusted root certificate" )

Definition at line 105 of file x509.c.

105#define EINFO_EACCES_UNTRUSTED \
106 __einfo_uniqify ( EINFO_EACCES, 0x06, "Untrusted root certificate" )

◆ EACCES_OUT_OF_ORDER

#define EACCES_OUT_OF_ORDER    __einfo_error ( EINFO_EACCES_OUT_OF_ORDER )

Definition at line 107 of file x509.c.

107#define EACCES_OUT_OF_ORDER \
108 __einfo_error ( EINFO_EACCES_OUT_OF_ORDER )

Referenced by x509_validate().

◆ EINFO_EACCES_OUT_OF_ORDER

#define EINFO_EACCES_OUT_OF_ORDER    __einfo_uniqify ( EINFO_EACCES, 0x07, "Validation out of order" )

Definition at line 109 of file x509.c.

109#define EINFO_EACCES_OUT_OF_ORDER \
110 __einfo_uniqify ( EINFO_EACCES, 0x07, "Validation out of order" )

◆ EACCES_EMPTY

#define EACCES_EMPTY    __einfo_error ( EINFO_EACCES_EMPTY )

Definition at line 111 of file x509.c.

111#define EACCES_EMPTY \
112 __einfo_error ( EINFO_EACCES_EMPTY )

Referenced by x509_auto_append().

◆ EINFO_EACCES_EMPTY

#define EINFO_EACCES_EMPTY    __einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" )

Definition at line 113 of file x509.c.

113#define EINFO_EACCES_EMPTY \
114 __einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" )

◆ EACCES_OCSP_REQUIRED

#define EACCES_OCSP_REQUIRED    __einfo_error ( EINFO_EACCES_OCSP_REQUIRED )

Definition at line 115 of file x509.c.

115#define EACCES_OCSP_REQUIRED \
116 __einfo_error ( EINFO_EACCES_OCSP_REQUIRED )

Referenced by x509_validate().

◆ EINFO_EACCES_OCSP_REQUIRED

#define EINFO_EACCES_OCSP_REQUIRED    __einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" )

Definition at line 117 of file x509.c.

117#define EINFO_EACCES_OCSP_REQUIRED \
118 __einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" )

◆ EACCES_WRONG_NAME

#define EACCES_WRONG_NAME    __einfo_error ( EINFO_EACCES_WRONG_NAME )

Definition at line 119 of file x509.c.

119#define EACCES_WRONG_NAME \
120 __einfo_error ( EINFO_EACCES_WRONG_NAME )

◆ EINFO_EACCES_WRONG_NAME

#define EINFO_EACCES_WRONG_NAME    __einfo_uniqify ( EINFO_EACCES, 0x0a, "Incorrect certificate name" )

Definition at line 121 of file x509.c.

121#define EINFO_EACCES_WRONG_NAME \
122 __einfo_uniqify ( EINFO_EACCES, 0x0a, "Incorrect certificate name" )

◆ EACCES_USELESS

#define EACCES_USELESS    __einfo_error ( EINFO_EACCES_USELESS )

Definition at line 123 of file x509.c.

123#define EACCES_USELESS \
124 __einfo_error ( EINFO_EACCES_USELESS )

Referenced by x509_validate_chain().

◆ EINFO_EACCES_USELESS

#define EINFO_EACCES_USELESS    __einfo_uniqify ( EINFO_EACCES, 0x0b, "No usable certificates" )

Definition at line 125 of file x509.c.

125#define EINFO_EACCES_USELESS \
126 __einfo_uniqify ( EINFO_EACCES, 0x0b, "No usable certificates" )

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL )

◆ FILE_SECBOOT()

FILE_SECBOOT ( PERMITTED )

◆ x509_free()

void x509_free ( struct refcnt * refcnt)
static

Free X.509 certificate.

Parameters
refcntReference count

Definition at line 133 of file x509.c.

133 {
134 struct x509_certificate *cert =
135 container_of ( refcnt, struct x509_certificate, refcnt );
136
137 x509_root_put ( cert->root );
138 free ( cert );
139}
free
static void(* free)(struct refcnt *refcnt))
Definition refcnt.h:55
container_of
#define container_of(ptr, type, field)
Get containing structure.
Definition stddef.h:36
refcnt
A reference counter.
Definition refcnt.h:27
x509_certificate
An X.509 certificate.
Definition x509.h:216
x509_certificate::root
struct x509_root * root
Root against which certificate has been validated (if any)
Definition x509.h:226
x509_root_put
static void x509_root_put(struct x509_root *root)
Drop reference to X.509 root certificate list.
Definition x509.h:404

References container_of, free, x509_certificate::root, and x509_root_put().

Referenced by x509_certificate().

◆ x509_name()

const char * x509_name ( struct x509_certificate * cert)

Get X.509 certificate display name.

Parameters
certX.509 certificate
Return values
nameDisplay name

Definition at line 147 of file x509.c.

147 {
148 struct asn1_cursor *common_name = &cert->subject.common_name;
149 struct digest_algorithm *digest = &sha1_algorithm;
150 static char buf[64];
151 uint8_t fingerprint[ digest->digestsize ];
152 size_t len;
153
154 len = common_name->len;
155 if ( len ) {
156 /* Certificate has a commonName: use that */
157 if ( len > ( sizeof ( buf ) - 1 /* NUL */ ) )
158 len = ( sizeof ( buf ) - 1 /* NUL */ );
159 memcpy ( buf, common_name->data, len );
160 buf[len] = '\0';
161 } else {
162 /* Certificate has no commonName: use SHA-1 fingerprint */
163 x509_fingerprint ( cert, digest, fingerprint );
164 base16_encode ( fingerprint, sizeof ( fingerprint ),
165 buf, sizeof ( buf ) );
166 }
167 return buf;
168}
uint8_t
unsigned char uint8_t
Definition stdint.h:10
len
ring len
Length.
Definition dwmac.h:226
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
sha1_algorithm
struct digest_algorithm sha1_algorithm
SHA-1 algorithm.
Definition sha1.c:258
asn1_cursor
An ASN.1 object cursor.
Definition asn1.h:21
asn1_cursor::data
const void * data
Start of data.
Definition asn1.h:23
asn1_cursor::len
size_t len
Length of data.
Definition asn1.h:25
digest_algorithm
A message digest algorithm.
Definition crypto.h:19
digest_algorithm::digestsize
size_t digestsize
Digest size.
Definition crypto.h:27
x509_certificate::subject
struct x509_subject subject
Subject.
Definition x509.h:245
x509_subject::common_name
struct asn1_cursor common_name
Common name.
Definition x509.h:64
x509_fingerprint
void x509_fingerprint(struct x509_certificate *cert, struct digest_algorithm *digest, void *fingerprint)
Calculate X.509 certificate fingerprint.
Definition x509.c:1237

References x509_subject::common_name, asn1_cursor::data, digest_algorithm::digestsize, asn1_cursor::len, len, memcpy(), sha1_algorithm, x509_certificate::subject, and x509_fingerprint().

Referenced by certstat(), certstore_add(), certstore_apply_settings(), certstore_del(), certstore_found(), certstore_init(), cms_parse_certificates(), efi_cacert(), icert_encode(), ocsp_check_signature(), ocsp_parse_basic_response(), ocsp_parse_cert_id(), ocsp_parse_certs(), ocsp_parse_responder_id(), ocsp_parse_response_status(), ocsp_parse_response_type(), ocsp_parse_responses(), ocsp_request(), ocsp_uri_string(), ocsp_validate(), tls_new_certificate_request(), tls_parse_chain(), tls_send_certificate(), validator_append(), validator_name(), validator_ocsp_validate(), validator_progress(), validator_start_download(), validator_start_ocsp(), validator_step(), x509_append(), x509_check_alt_name(), x509_check_dnsname(), x509_check_ipaddress(), x509_check_issuer(), x509_check_name(), x509_check_root(), x509_check_signature(), x509_check_time(), x509_parse_subject(), and x509_validate().

◆ x509_parse_version()

int x509_parse_version ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
static

Parse X.509 certificate version.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 184 of file x509.c.

185 {
186 struct asn1_cursor cursor;
187 int version;
188 int rc;
189
190 /* Enter version */
191 memcpy ( &cursor, raw, sizeof ( cursor ) );
192 asn1_enter ( &cursor, ASN1_EXPLICIT_TAG ( 0 ) );
193
194 /* Parse integer */
195 if ( ( rc = asn1_integer ( &cursor, &version ) ) != 0 ) {
196 DBGC ( cert, "X509 %p cannot parse version: %s\n",
197 cert, strerror ( rc ) );
198 DBGC_HDA ( cert, 0, raw->data, raw->len );
199 return rc;
200 }
201
202 /* Sanity check */
203 if ( version < 0 ) {
204 DBGC ( cert, "X509 %p invalid version %d\n", cert, version );
205 DBGC_HDA ( cert, 0, raw->data, raw->len );
206 return -EINVAL_VERSION;
207 }
208
209 /* Record version */
210 cert->version = version;
211 DBGC2 ( cert, "X509 %p is a version %d certificate\n",
212 cert, ( cert->version + 1 ) );
213
214 return 0;
215}
raw
__be32 raw[7]
Definition CIB_PRM.h:0
rc
struct arbelprm_rc_send_wqe rc
Definition arbel.h:3
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition asn1.c:169
asn1_integer
int asn1_integer(const struct asn1_cursor *cursor, int *value)
Parse value of ASN.1 integer.
Definition asn1.c:416
ASN1_EXPLICIT_TAG
#define ASN1_EXPLICIT_TAG(number)
ASN.1 explicit tag.
Definition asn1.h:99
version
u32 version
Driver version.
Definition ath9k_hw.c:1985
DBGC2
#define DBGC2(...)
Definition compiler.h:522
DBGC
#define DBGC(...)
Definition compiler.h:505
DBGC_HDA
#define DBGC_HDA(...)
Definition compiler.h:506
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition strerror.c:79
x509_certificate::version
unsigned int version
Version.
Definition x509.h:233
EINVAL_VERSION
#define EINVAL_VERSION
Definition x509.c:79

References asn1_enter(), ASN1_EXPLICIT_TAG, asn1_integer(), DBGC, DBGC2, DBGC_HDA, EINVAL_VERSION, memcpy(), raw, rc, strerror(), version, and x509_certificate::version.

Referenced by x509_parse_tbscertificate().

◆ x509_parse_serial()

int x509_parse_serial ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
static

Parse X.509 certificate serial number.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 224 of file x509.c.

225 {
226 struct x509_serial *serial = &cert->serial;
227 int rc;
228
229 /* Record raw serial number */
230 memcpy ( &serial->raw, raw, sizeof ( serial->raw ) );
231 if ( ( rc = asn1_shrink ( &serial->raw, ASN1_INTEGER ) ) != 0 ) {
232 DBGC ( cert, "X509 %p cannot shrink serialNumber: %s\n",
233 cert, strerror ( rc ) );
234 return rc;
235 }
236 DBGC2 ( cert, "X509 %p serial is:\n", cert );
237 DBGC2_HDA ( cert, 0, serial->raw.data, serial->raw.len );
238
239 return 0;
240}
asn1_shrink
int asn1_shrink(struct asn1_cursor *cursor, unsigned int type)
Shrink ASN.1 cursor to fit object.
Definition asn1.c:254
ASN1_INTEGER
#define ASN1_INTEGER
ASN.1 integer.
Definition asn1.h:63
serial
uint64_t serial
Serial number.
Definition edd.h:1
DBGC2_HDA
#define DBGC2_HDA(...)
Definition compiler.h:523
x509_certificate::serial
struct x509_serial serial
Serial number.
Definition x509.h:235
x509_serial
An X.509 serial number.
Definition x509.h:24

References ASN1_INTEGER, asn1_shrink(), DBGC, DBGC2, DBGC2_HDA, memcpy(), raw, rc, serial, x509_certificate::serial, and strerror().

Referenced by x509_parse_tbscertificate().

◆ x509_parse_issuer()

int x509_parse_issuer ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
static

Parse X.509 certificate issuer.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 249 of file x509.c.

250 {
251 struct x509_issuer *issuer = &cert->issuer;
252 int rc;
253
254 /* Record raw issuer */
255 memcpy ( &issuer->raw, raw, sizeof ( issuer->raw ) );
256 if ( ( rc = asn1_shrink ( &issuer->raw, ASN1_SEQUENCE ) ) != 0 ) {
257 DBGC ( cert, "X509 %p cannot shrink issuer: %s\n",
258 cert, strerror ( rc ) );
259 return rc;
260 }
261 DBGC2 ( cert, "X509 %p issuer is:\n", cert );
262 DBGC2_HDA ( cert, 0, issuer->raw.data, issuer->raw.len );
263
264 return 0;
265}
ASN1_SEQUENCE
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition asn1.h:90
x509_certificate::issuer
struct x509_issuer issuer
Issuer.
Definition x509.h:241
x509_issuer
An X.509 issuer.
Definition x509.h:30
x509_issuer::raw
struct asn1_cursor raw
Raw issuer.
Definition x509.h:32

References ASN1_SEQUENCE, asn1_shrink(), asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, x509_certificate::issuer, asn1_cursor::len, memcpy(), raw, x509_issuer::raw, rc, and strerror().

Referenced by x509_parse_tbscertificate().

◆ x509_parse_validity()

int x509_parse_validity ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
static

Parse X.509 certificate validity.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 274 of file x509.c.

275 {
276 struct x509_validity *validity = &cert->validity;
277 struct x509_time *not_before = &validity->not_before;
278 struct x509_time *not_after = &validity->not_after;
279 struct asn1_cursor cursor;
280 int rc;
281
282 /* Enter validity */
283 memcpy ( &cursor, raw, sizeof ( cursor ) );
284 asn1_enter ( &cursor, ASN1_SEQUENCE );
285
286 /* Parse notBefore */
287 if ( ( rc = asn1_generalized_time ( &cursor,
288 &not_before->time ) ) != 0 ) {
289 DBGC ( cert, "X509 %p cannot parse notBefore: %s\n",
290 cert, strerror ( rc ) );
291 return rc;
292 }
293 DBGC2 ( cert, "X509 %p valid from time %lld\n",
294 cert, not_before->time );
295 asn1_skip_any ( &cursor );
296
297 /* Parse notAfter */
298 if ( ( rc = asn1_generalized_time ( &cursor,
299 &not_after->time ) ) != 0 ) {
300 DBGC ( cert, "X509 %p cannot parse notAfter: %s\n",
301 cert, strerror ( rc ) );
302 return rc;
303 }
304 DBGC2 ( cert, "X509 %p valid until time %lld\n",
305 cert, not_after->time );
306
307 return 0;
308}
asn1_skip_any
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition asn1.c:290
asn1_generalized_time
int asn1_generalized_time(const struct asn1_cursor *cursor, time_t *time)
Parse ASN.1 GeneralizedTime.
Definition asn1.c:777
x509_certificate::validity
struct x509_validity validity
Validity.
Definition x509.h:243
x509_time
An X.509 time.
Definition x509.h:36
x509_time::time
time_t time
Seconds since the Epoch.
Definition x509.h:38
x509_validity
An X.509 certificate validity period.
Definition x509.h:42
x509_validity::not_before
struct x509_time not_before
Not valid before.
Definition x509.h:44
x509_validity::not_after
struct x509_time not_after
Not valid after.
Definition x509.h:46

References asn1_enter(), asn1_generalized_time(), ASN1_SEQUENCE, asn1_skip_any(), DBGC, DBGC2, memcpy(), x509_validity::not_after, x509_validity::not_before, raw, rc, strerror(), x509_time::time, and x509_certificate::validity.

Referenced by x509_parse_tbscertificate().

◆ x509_parse_common_name()

int x509_parse_common_name ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
static

Parse X.509 certificate common name.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 317 of file x509.c.

318 {
319 struct asn1_cursor cursor;
320 struct asn1_cursor oid_cursor;
321 struct asn1_cursor name_cursor;
322 int rc;
323
324 /* Enter name */
325 memcpy ( &cursor, raw, sizeof ( cursor ) );
326 asn1_enter ( &cursor, ASN1_SEQUENCE );
327
328 /* Scan through name list */
329 for ( ; cursor.len ; asn1_skip_any ( &cursor ) ) {
330
331 /* Check for "commonName" OID */
332 memcpy ( &oid_cursor, &cursor, sizeof ( oid_cursor ) );
333 asn1_enter ( &oid_cursor, ASN1_SET );
334 asn1_enter ( &oid_cursor, ASN1_SEQUENCE );
335 memcpy ( &name_cursor, &oid_cursor, sizeof ( name_cursor ) );
336 asn1_enter ( &oid_cursor, ASN1_OID );
337 if ( asn1_compare ( &oid_common_name_cursor, &oid_cursor ) != 0)
338 continue;
339 asn1_skip_any ( &name_cursor );
340 if ( ( rc = asn1_enter_any ( &name_cursor ) ) != 0 ) {
341 DBGC ( cert, "X509 %p cannot locate name:\n", cert );
342 DBGC_HDA ( cert, 0, raw->data, raw->len );
343 return rc;
344 }
345
346 /* Record common name */
347 memcpy ( &cert->subject.common_name, &name_cursor,
348 sizeof ( cert->subject.common_name ) );
349
350 return 0;
351 }
352
353 /* Certificates may not have a commonName */
354 DBGC2 ( cert, "X509 %p no commonName found:\n", cert );
355 return 0;
356}
asn1_enter_any
int asn1_enter_any(struct asn1_cursor *cursor)
Enter ASN.1 object of any type.
Definition asn1.c:280
asn1_compare
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition asn1.c:458
ASN1_OID
#define ASN1_OID
ASN.1 object identifier.
Definition asn1.h:75
ASN1_SET
#define ASN1_SET
ASN.1 set.
Definition asn1.h:93
oid_common_name_cursor
static struct asn1_cursor oid_common_name_cursor
"commonName" object identifier cursor
Definition x509.c:174

References asn1_compare(), asn1_enter(), asn1_enter_any(), ASN1_OID, ASN1_SEQUENCE, ASN1_SET, asn1_skip_any(), x509_subject::common_name, DBGC, DBGC2, DBGC_HDA, asn1_cursor::len, memcpy(), oid_common_name_cursor, raw, rc, and x509_certificate::subject.

Referenced by x509_parse_subject().

◆ x509_parse_subject()

int x509_parse_subject ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
static

Parse X.509 certificate subject.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 365 of file x509.c.

366 {
367 struct x509_subject *subject = &cert->subject;
368 int rc;
369
370 /* Record raw subject */
371 memcpy ( &subject->raw, raw, sizeof ( subject->raw ) );
372 asn1_shrink_any ( &subject->raw );
373 DBGC2 ( cert, "X509 %p subject is:\n", cert );
374 DBGC2_HDA ( cert, 0, subject->raw.data, subject->raw.len );
375
376 /* Parse common name */
377 if ( ( rc = x509_parse_common_name ( cert, raw ) ) != 0 )
378 return rc;
379 DBGC2 ( cert, "X509 %p common name is \"%s\":\n", cert,
380 x509_name ( cert ) );
381
382 return 0;
383}
asn1_shrink_any
int asn1_shrink_any(struct asn1_cursor *cursor)
Shrink ASN.1 object of any type.
Definition asn1.c:300
x509_subject
An X.509 certificate subject.
Definition x509.h:60
x509_subject::raw
struct asn1_cursor raw
Raw subject.
Definition x509.h:62
x509_parse_common_name
static int x509_parse_common_name(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate common name.
Definition x509.c:317
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition x509.c:147

References asn1_shrink_any(), asn1_cursor::data, DBGC2, DBGC2_HDA, asn1_cursor::len, memcpy(), raw, x509_subject::raw, rc, x509_certificate::subject, x509_name(), and x509_parse_common_name().

Referenced by x509_parse_tbscertificate().

◆ x509_parse_public_key()

int x509_parse_public_key ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
static

Parse X.509 certificate public key information.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 392 of file x509.c.

393 {
394 struct x509_public_key *public_key = &cert->subject.public_key;
395 struct asn1_algorithm **algorithm = &public_key->algorithm;
396 struct asn1_cursor *value = &public_key->value;
397 struct asn1_cursor cursor;
398 int rc;
399
400 /* Record raw subjectPublicKeyInfo */
401 memcpy ( &cursor, raw, sizeof ( cursor ) );
402 asn1_shrink_any ( &cursor );
403 memcpy ( &public_key->raw, &cursor, sizeof ( public_key->raw ) );
404 DBGC2 ( cert, "X509 %p public key is:\n", cert );
405 DBGC2_HDA ( cert, 0, public_key->raw.data, public_key->raw.len );
406
407 /* Enter subjectPublicKeyInfo */
408 asn1_enter ( &cursor, ASN1_SEQUENCE );
409
410 /* Parse algorithm */
411 if ( ( rc = asn1_pubkey_algorithm ( &cursor, algorithm ) ) != 0 ) {
412 DBGC ( cert, "X509 %p could not parse public key algorithm: "
413 "%s\n", cert, strerror ( rc ) );
414 return rc;
415 }
416 DBGC2 ( cert, "X509 %p public key algorithm is %s\n",
417 cert, (*algorithm)->name );
418 asn1_skip_any ( &cursor );
419
420 /* Parse subjectPublicKey */
421 memcpy ( value, &cursor, sizeof ( *value ) );
422 if ( ( rc = asn1_enter_bits ( value, NULL ) ) != 0 ) {
423 DBGC ( cert, "X509 %p could not parse public key bits: %s\n",
424 cert, strerror ( rc ) );
425 return rc;
426 }
427
428 return 0;
429}
NULL
#define NULL
NULL pointer (VOID *)
Definition Base.h:322
value
pseudo_bit_t value[0x00020]
Definition arbel.h:2
asn1_pubkey_algorithm
int asn1_pubkey_algorithm(const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm)
Parse ASN.1 OID-identified public-key algorithm.
Definition asn1.c:544
asn1_enter_bits
int asn1_enter_bits(struct asn1_cursor *cursor, unsigned int *unused)
Enter ASN.1 bit string.
Definition asn1.c:311
algorithm
u16 algorithm
Authentication algorithm (Open System or Shared Key)
Definition ieee80211.h:1
asn1_algorithm
An ASN.1 OID-identified algorithm.
Definition asn1.h:408
x509_public_key
An X.509 certificate public key.
Definition x509.h:50
x509_public_key::algorithm
struct asn1_algorithm * algorithm
Public key algorithm.
Definition x509.h:54
x509_public_key::value
struct asn1_cursor value
Public key value.
Definition x509.h:56
x509_public_key::raw
struct asn1_cursor raw
Raw public key information.
Definition x509.h:52
x509_subject::public_key
struct x509_public_key public_key
Public key information.
Definition x509.h:66

References algorithm, x509_public_key::algorithm, asn1_enter(), asn1_enter_bits(), asn1_pubkey_algorithm(), ASN1_SEQUENCE, asn1_shrink_any(), asn1_skip_any(), asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, asn1_cursor::len, memcpy(), NULL, x509_subject::public_key, raw, x509_public_key::raw, rc, strerror(), x509_certificate::subject, value, and x509_public_key::value.

Referenced by x509_parse_tbscertificate().

◆ x509_parse_basic_constraints()

int x509_parse_basic_constraints ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
static

Parse X.509 certificate basic constraints.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 438 of file x509.c.

439 {
440 struct x509_basic_constraints *basic = &cert->extensions.basic;
441 struct asn1_cursor cursor;
442 int ca = 0;
443 int path_len;
444 int rc;
445
446 /* Enter basicConstraints */
447 memcpy ( &cursor, raw, sizeof ( cursor ) );
448 asn1_enter ( &cursor, ASN1_SEQUENCE );
449
450 /* Parse "cA", if present */
451 if ( asn1_type ( &cursor ) == ASN1_BOOLEAN ) {
452 ca = asn1_boolean ( &cursor );
453 if ( ca < 0 ) {
454 rc = ca;
455 DBGC ( cert, "X509 %p cannot parse cA: %s\n",
456 cert, strerror ( rc ) );
457 DBGC_HDA ( cert, 0, raw->data, raw->len );
458 return rc;
459 }
460 asn1_skip_any ( &cursor );
461 }
462 basic->ca = ca;
463 DBGC2 ( cert, "X509 %p is %sa CA certificate\n",
464 cert, ( basic->ca ? "" : "not " ) );
465
466 /* Ignore everything else unless "cA" is true */
467 if ( ! ca )
468 return 0;
469
470 /* Parse "pathLenConstraint", if present and applicable */
471 basic->path_len = X509_PATH_LEN_UNLIMITED;
472 if ( asn1_type ( &cursor ) == ASN1_INTEGER ) {
473 if ( ( rc = asn1_integer ( &cursor, &path_len ) ) != 0 ) {
474 DBGC ( cert, "X509 %p cannot parse pathLenConstraint: "
475 "%s\n", cert, strerror ( rc ) );
476 DBGC_HDA ( cert, 0, raw->data, raw->len );
477 return rc;
478 }
479 if ( path_len < 0 ) {
480 DBGC ( cert, "X509 %p invalid pathLenConstraint %d\n",
481 cert, path_len );
482 DBGC_HDA ( cert, 0, raw->data, raw->len );
483 return -EINVAL;
484 }
485 basic->path_len = path_len;
486 DBGC2 ( cert, "X509 %p path length constraint is %d\n",
487 cert, basic->path_len );
488 }
489
490 return 0;
491}
asn1_boolean
int asn1_boolean(const struct asn1_cursor *cursor)
Parse value of ASN.1 boolean.
Definition asn1.c:392
ASN1_BOOLEAN
#define ASN1_BOOLEAN
ASN.1 boolean.
Definition asn1.h:60
asn1_type
static unsigned int asn1_type(const struct asn1_cursor *cursor)
Extract ASN.1 type.
Definition asn1.h:479
EINVAL
#define EINVAL
Invalid argument.
Definition errno.h:429
x509_basic_constraints
An X.509 certificate basic constraints set.
Definition x509.h:78
x509_basic_constraints::ca
int ca
Subject is a CA.
Definition x509.h:80
x509_basic_constraints::path_len
unsigned int path_len
Path length.
Definition x509.h:82
x509_certificate::extensions
struct x509_extensions extensions
Extensions.
Definition x509.h:249
x509_extensions::basic
struct x509_basic_constraints basic
Basic constraints.
Definition x509.h:159
X509_PATH_LEN_UNLIMITED
#define X509_PATH_LEN_UNLIMITED
Unlimited path length.
Definition x509.h:90

References ASN1_BOOLEAN, asn1_boolean(), asn1_enter(), ASN1_INTEGER, asn1_integer(), ASN1_SEQUENCE, asn1_skip_any(), asn1_type(), x509_extensions::basic, x509_basic_constraints::ca, DBGC, DBGC2, DBGC_HDA, EINVAL, x509_certificate::extensions, memcpy(), x509_basic_constraints::path_len, raw, rc, strerror(), and X509_PATH_LEN_UNLIMITED.

◆ x509_parse_key_usage()

int x509_parse_key_usage ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
static

Parse X.509 certificate key usage.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 500 of file x509.c.

501 {
502 struct x509_key_usage *usage = &cert->extensions.usage;
503 struct asn1_cursor cursor;
504 const uint8_t *bytes;
505 unsigned int unused;
506 size_t len;
507 unsigned int i;
508 int rc;
509
510 /* Mark extension as present */
511 usage->present = 1;
512
513 /* Enter bit string */
514 memcpy ( &cursor, raw, sizeof ( cursor ) );
515 if ( ( rc = asn1_enter_bits ( &cursor, &unused ) ) != 0 ) {
516 DBGC ( cert, "X509 %p could not parse key usage: %s\n",
517 cert, strerror ( rc ) );
518 return rc;
519 }
520
521 /* Parse key usage bits */
522 bytes = cursor.data;
523 len = cursor.len;
524 if ( len > sizeof ( usage->bits ) )
525 len = sizeof ( usage->bits );
526 for ( i = 0 ; i < len ; i++ ) {
527 usage->bits |= ( *(bytes++) << ( 8 * i ) );
528 }
529 DBGC2 ( cert, "X509 %p key usage is %08x\n", cert, usage->bits );
530
531 return 0;
532}
bytes
uint8_t bytes[64]
Definition ib_mad.h:5
unused
uint8_t unused
Unused.
Definition librm.h:5
x509_extensions::usage
struct x509_key_usage usage
Key usage.
Definition x509.h:161
x509_key_usage
An X.509 certificate key usage.
Definition x509.h:93
x509_key_usage::present
int present
Key usage extension is present.
Definition x509.h:95
x509_key_usage::bits
unsigned int bits
Usage bits.
Definition x509.h:97

References asn1_enter_bits(), x509_key_usage::bits, bytes, asn1_cursor::data, DBGC, DBGC2, x509_certificate::extensions, asn1_cursor::len, len, memcpy(), x509_key_usage::present, raw, rc, strerror(), unused, and x509_extensions::usage.

◆ x509_parse_key_purpose()

int x509_parse_key_purpose ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
static

Parse X.509 certificate key purpose identifier.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 561 of file x509.c.

562 {
563 struct x509_extended_key_usage *ext_usage = &cert->extensions.ext_usage;
564 struct x509_key_purpose *purpose;
565 struct asn1_cursor cursor;
566 unsigned int i;
567 int rc;
568
569 /* Enter keyPurposeId */
570 memcpy ( &cursor, raw, sizeof ( cursor ) );
571 if ( ( rc = asn1_enter ( &cursor, ASN1_OID ) ) != 0 ) {
572 DBGC ( cert, "X509 %p invalid keyPurposeId:\n", cert );
573 DBGC_HDA ( cert, 0, raw->data, raw->len );
574 return rc;
575 }
576
577 /* Identify key purpose */
578 for ( i = 0 ; i < ( sizeof ( x509_key_purposes ) /
579 sizeof ( x509_key_purposes[0] ) ) ; i++ ) {
580 purpose = &x509_key_purposes[i];
581 if ( asn1_compare ( &cursor, &purpose->oid ) == 0 ) {
582 DBGC2 ( cert, "X509 %p has key purpose %s\n",
583 cert, purpose->name );
584 ext_usage->bits |= purpose->bits;
585 return 0;
586 }
587 }
588
589 /* Ignore unrecognised key purposes */
590 return 0;
591}
x509_extended_key_usage
An X.509 certificate extended key usage.
Definition x509.h:114
x509_extended_key_usage::bits
unsigned int bits
Usage bits.
Definition x509.h:116
x509_extensions::ext_usage
struct x509_extended_key_usage ext_usage
Extended key usage.
Definition x509.h:163
x509_key_purpose
An X.509 key purpose.
Definition x509.h:349
x509_key_purpose::oid
struct asn1_cursor oid
Object identifier.
Definition x509.h:353
x509_key_purpose::name
const char * name
Name.
Definition x509.h:351
x509_key_purpose::bits
unsigned int bits
Extended key usage bits.
Definition x509.h:355
x509_key_purposes
static struct x509_key_purpose x509_key_purposes[]
Supported key purposes.
Definition x509.c:541

References asn1_compare(), asn1_enter(), ASN1_OID, x509_extended_key_usage::bits, x509_key_purpose::bits, DBGC, DBGC2, DBGC_HDA, x509_extensions::ext_usage, x509_certificate::extensions, memcpy(), x509_key_purpose::name, x509_key_purpose::oid, raw, rc, and x509_key_purposes.

Referenced by x509_parse_extended_key_usage().

◆ x509_parse_extended_key_usage()

int x509_parse_extended_key_usage ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
static

Parse X.509 certificate extended key usage.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 600 of file x509.c.

601 {
602 struct asn1_cursor cursor;
603 int rc;
604
605 /* Enter extKeyUsage */
606 memcpy ( &cursor, raw, sizeof ( cursor ) );
607 asn1_enter ( &cursor, ASN1_SEQUENCE );
608
609 /* Parse each extended key usage in turn */
610 while ( cursor.len ) {
611 if ( ( rc = x509_parse_key_purpose ( cert, &cursor ) ) != 0 )
612 return rc;
613 asn1_skip_any ( &cursor );
614 }
615
616 return 0;
617}
x509_parse_key_purpose
static int x509_parse_key_purpose(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate key purpose identifier.
Definition x509.c:561

References asn1_enter(), ASN1_SEQUENCE, asn1_skip_any(), asn1_cursor::len, memcpy(), raw, rc, and x509_parse_key_purpose().

◆ x509_parse_ocsp()

int x509_parse_ocsp ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
static

Parse X.509 certificate OCSP access method.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 626 of file x509.c.

627 {
628 struct x509_ocsp_responder *ocsp = &cert->extensions.auth_info.ocsp;
629 struct asn1_cursor *uri = &ocsp->uri;
630 int rc;
631
632 /* Enter accessLocation */
633 memcpy ( uri, raw, sizeof ( *uri ) );
634 if ( ( rc = asn1_enter ( uri, X509_GENERAL_NAME_URI ) ) != 0 ) {
635 DBGC ( cert, "X509 %p OCSP does not contain "
636 "uniformResourceIdentifier:\n", cert );
637 DBGC_HDA ( cert, 0, raw->data, raw->len );
638 return rc;
639 }
640 DBGC2 ( cert, "X509 %p OCSP URI is:\n", cert );
641 DBGC2_HDA ( cert, 0, uri->data, uri->len );
642
643 return 0;
644}
uri
A Uniform Resource Identifier.
Definition uri.h:65
x509_authority_info_access::ocsp
struct x509_ocsp_responder ocsp
OCSP responder.
Definition x509.h:140
x509_extensions::auth_info
struct x509_authority_info_access auth_info
Authority information access.
Definition x509.h:165
x509_ocsp_responder
X.509 certificate OCSP responder.
Definition x509.h:130
x509_ocsp_responder::uri
struct asn1_cursor uri
URI.
Definition x509.h:132
X509_GENERAL_NAME_URI
@ X509_GENERAL_NAME_URI
Definition x509.h:152

References asn1_enter(), x509_extensions::auth_info, DBGC, DBGC2, DBGC2_HDA, DBGC_HDA, x509_certificate::extensions, memcpy(), x509_authority_info_access::ocsp, raw, rc, x509_ocsp_responder::uri, and X509_GENERAL_NAME_URI.

◆ x509_find_access_method()

struct x509_access_method * x509_find_access_method ( const struct asn1_cursor * oid)
static

Identify X.509 access method by OID.

Parameters
oidOID
Return values
methodAccess method, or NULL

Definition at line 665 of file x509.c.

665 {
666 struct x509_access_method *method;
667 unsigned int i;
668
669 for ( i = 0 ; i < ( sizeof ( x509_access_methods ) /
670 sizeof ( x509_access_methods[0] ) ) ; i++ ) {
671 method = &x509_access_methods[i];
672 if ( asn1_compare ( &method->oid, oid ) == 0 )
673 return method;
674 }
675
676 return NULL;
677}
method
uint8_t method
Definition ib_mad.h:3
x509_access_method
An X.509 access method.
Definition x509.h:359
x509_access_method::oid
struct asn1_cursor oid
Object identifier.
Definition x509.h:363
x509_access_methods
static struct x509_access_method x509_access_methods[]
Supported access methods.
Definition x509.c:650

References asn1_compare(), method, NULL, x509_access_method::oid, and x509_access_methods.

Referenced by x509_parse_access_description().

◆ x509_parse_access_description()

int x509_parse_access_description ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
static

Parse X.509 certificate access description.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 686 of file x509.c.

687 {
688 struct asn1_cursor cursor;
689 struct asn1_cursor subcursor;
690 struct x509_access_method *method;
691 int rc;
692
693 /* Enter keyPurposeId */
694 memcpy ( &cursor, raw, sizeof ( cursor ) );
695 asn1_enter ( &cursor, ASN1_SEQUENCE );
696
697 /* Try to identify access method */
698 memcpy ( &subcursor, &cursor, sizeof ( subcursor ) );
699 asn1_enter ( &subcursor, ASN1_OID );
700 method = x509_find_access_method ( &subcursor );
701 asn1_skip_any ( &cursor );
702 DBGC2 ( cert, "X509 %p found access method %s\n",
703 cert, ( method ? method->name : "<unknown>" ) );
704
705 /* Parse access location, if applicable */
706 if ( method && ( ( rc = method->parse ( cert, &cursor ) ) != 0 ) )
707 return rc;
708
709 return 0;
710}
x509_find_access_method
static struct x509_access_method * x509_find_access_method(const struct asn1_cursor *oid)
Identify X.509 access method by OID.
Definition x509.c:665

References asn1_enter(), ASN1_OID, ASN1_SEQUENCE, asn1_skip_any(), DBGC2, memcpy(), method, raw, rc, and x509_find_access_method().

Referenced by x509_parse_authority_info_access().

◆ x509_parse_authority_info_access()

int x509_parse_authority_info_access ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
static

Parse X.509 certificate authority information access.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 719 of file x509.c.

720 {
721 struct asn1_cursor cursor;
722 int rc;
723
724 /* Enter authorityInfoAccess */
725 memcpy ( &cursor, raw, sizeof ( cursor ) );
726 asn1_enter ( &cursor, ASN1_SEQUENCE );
727
728 /* Parse each access description in turn */
729 while ( cursor.len ) {
730 if ( ( rc = x509_parse_access_description ( cert,
731 &cursor ) ) != 0 )
732 return rc;
733 asn1_skip_any ( &cursor );
734 }
735
736 return 0;
737}
x509_parse_access_description
static int x509_parse_access_description(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate access description.
Definition x509.c:686

References asn1_enter(), ASN1_SEQUENCE, asn1_skip_any(), asn1_cursor::len, memcpy(), raw, rc, and x509_parse_access_description().

◆ x509_parse_subject_alt_name()

int x509_parse_subject_alt_name ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
static

Parse X.509 certificate subject alternative name.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 746 of file x509.c.

747 {
748 struct x509_subject_alt_name *alt_name = &cert->extensions.alt_name;
749 struct asn1_cursor *names = &alt_name->names;
750 int rc;
751
752 /* Enter subjectAltName */
753 memcpy ( names, raw, sizeof ( *names ) );
754 if ( ( rc = asn1_enter ( names, ASN1_SEQUENCE ) ) != 0 ) {
755 DBGC ( cert, "X509 %p invalid subjectAltName: %s\n",
756 cert, strerror ( rc ) );
757 DBGC_HDA ( cert, 0, raw->data, raw->len );
758 return rc;
759 }
760 DBGC2 ( cert, "X509 %p has subjectAltName:\n", cert );
761 DBGC2_HDA ( cert, 0, names->data, names->len );
762
763 return 0;
764}
x509_extensions::alt_name
struct x509_subject_alt_name alt_name
Subject alternative name.
Definition x509.h:167
x509_subject_alt_name
X.509 certificate subject alternative name.
Definition x509.h:144
x509_subject_alt_name::names
struct asn1_cursor names
Names.
Definition x509.h:146

References x509_extensions::alt_name, asn1_enter(), ASN1_SEQUENCE, asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, DBGC_HDA, x509_certificate::extensions, asn1_cursor::len, memcpy(), x509_subject_alt_name::names, raw, rc, and strerror().

◆ x509_find_extension()

struct x509_extension * x509_find_extension ( const struct asn1_cursor * oid)
static

Identify X.509 extension by OID.

Parameters
oidOID
Return values
extensionExtension, or NULL

Definition at line 822 of file x509.c.

822 {
823 struct x509_extension *extension;
824 unsigned int i;
825
826 for ( i = 0 ; i < ( sizeof ( x509_extensions ) /
827 sizeof ( x509_extensions[0] ) ) ; i++ ) {
828 extension = &x509_extensions[i];
829 if ( asn1_compare ( &extension->oid, oid ) == 0 )
830 return extension;
831 }
832
833 return NULL;
834}
x509_extension
An X.509 extension.
Definition x509.h:333
x509_extension::oid
struct asn1_cursor oid
Object identifier.
Definition x509.h:337
x509_extensions
An X.509 certificate extensions set.
Definition x509.h:157

References asn1_compare(), NULL, and x509_extension::oid.

Referenced by x509_parse_extension().

◆ x509_parse_extension()

int x509_parse_extension ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
static

Parse X.509 certificate extension.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 843 of file x509.c.

844 {
845 struct asn1_cursor cursor;
846 struct asn1_cursor subcursor;
847 struct x509_extension *extension;
848 int is_critical = 0;
849 int rc;
850
851 /* Enter extension */
852 memcpy ( &cursor, raw, sizeof ( cursor ) );
853 asn1_enter ( &cursor, ASN1_SEQUENCE );
854
855 /* Try to identify extension */
856 memcpy ( &subcursor, &cursor, sizeof ( subcursor ) );
857 asn1_enter ( &subcursor, ASN1_OID );
858 extension = x509_find_extension ( &subcursor );
859 asn1_skip_any ( &cursor );
860 DBGC2 ( cert, "X509 %p found extension %s\n",
861 cert, ( extension ? extension->name : "<unknown>" ) );
862
863 /* Identify criticality */
864 if ( asn1_type ( &cursor ) == ASN1_BOOLEAN ) {
865 is_critical = asn1_boolean ( &cursor );
866 if ( is_critical < 0 ) {
867 rc = is_critical;
868 DBGC ( cert, "X509 %p cannot parse extension "
869 "criticality: %s\n", cert, strerror ( rc ) );
870 DBGC_HDA ( cert, 0, raw->data, raw->len );
871 return rc;
872 }
873 asn1_skip_any ( &cursor );
874 }
875
876 /* Handle unknown extensions */
877 if ( ! extension ) {
878 if ( is_critical ) {
879 /* Fail if we cannot handle a critical extension */
880 DBGC ( cert, "X509 %p cannot handle critical "
881 "extension:\n", cert );
882 DBGC_HDA ( cert, 0, raw->data, raw->len );
883 return -ENOTSUP_EXTENSION;
884 } else {
885 /* Ignore unknown non-critical extensions */
886 return 0;
887 }
888 };
889
890 /* Extract extnValue */
891 if ( ( rc = asn1_enter ( &cursor, ASN1_OCTET_STRING ) ) != 0 ) {
892 DBGC ( cert, "X509 %p extension missing extnValue:\n", cert );
893 DBGC_HDA ( cert, 0, raw->data, raw->len );
894 return rc;
895 }
896
897 /* Parse extension */
898 if ( ( rc = extension->parse ( cert, &cursor ) ) != 0 )
899 return rc;
900
901 return 0;
902}
ASN1_OCTET_STRING
#define ASN1_OCTET_STRING
ASN.1 octet string.
Definition asn1.h:69
x509_extension::parse
int(* parse)(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse extension.
Definition x509.h:344
x509_extension::name
const char * name
Name.
Definition x509.h:335
x509_find_extension
static struct x509_extension * x509_find_extension(const struct asn1_cursor *oid)
Identify X.509 extension by OID.
Definition x509.c:822
ENOTSUP_EXTENSION
#define ENOTSUP_EXTENSION
Definition x509.c:63

References ASN1_BOOLEAN, asn1_boolean(), asn1_enter(), ASN1_OCTET_STRING, ASN1_OID, ASN1_SEQUENCE, asn1_skip_any(), asn1_type(), DBGC, DBGC2, DBGC_HDA, ENOTSUP_EXTENSION, memcpy(), x509_extension::name, x509_extension::parse, raw, rc, strerror(), and x509_find_extension().

Referenced by x509_parse_extensions().

◆ x509_parse_extensions()

int x509_parse_extensions ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
static

Parse X.509 certificate extensions, if present.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 911 of file x509.c.

912 {
913 struct asn1_cursor cursor;
914 int rc;
915
916 /* Enter extensions, if present */
917 memcpy ( &cursor, raw, sizeof ( cursor ) );
918 asn1_enter ( &cursor, ASN1_EXPLICIT_TAG ( 3 ) );
919 asn1_enter ( &cursor, ASN1_SEQUENCE );
920
921 /* Parse each extension in turn */
922 while ( cursor.len ) {
923 if ( ( rc = x509_parse_extension ( cert, &cursor ) ) != 0 )
924 return rc;
925 asn1_skip_any ( &cursor );
926 }
927
928 return 0;
929}
x509_parse_extension
static int x509_parse_extension(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate extension.
Definition x509.c:843

References asn1_enter(), ASN1_EXPLICIT_TAG, ASN1_SEQUENCE, asn1_skip_any(), asn1_cursor::len, memcpy(), raw, rc, and x509_parse_extension().

Referenced by x509_parse_tbscertificate().

◆ x509_parse_tbscertificate()

int x509_parse_tbscertificate ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
static

Parse X.509 certificate tbsCertificate.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 938 of file x509.c.

939 {
940 struct asn1_algorithm **algorithm = &cert->signature_algorithm;
941 struct asn1_cursor cursor;
942 int rc;
943
944 /* Record raw tbsCertificate */
945 memcpy ( &cursor, raw, sizeof ( cursor ) );
946 asn1_shrink_any ( &cursor );
947 memcpy ( &cert->tbs, &cursor, sizeof ( cert->tbs ) );
948
949 /* Enter tbsCertificate */
950 asn1_enter ( &cursor, ASN1_SEQUENCE );
951
952 /* Parse version, if present */
953 if ( asn1_type ( &cursor ) == ASN1_EXPLICIT_TAG ( 0 ) ) {
954 if ( ( rc = x509_parse_version ( cert, &cursor ) ) != 0 )
955 return rc;
956 asn1_skip_any ( &cursor );
957 }
958
959 /* Parse serialNumber */
960 if ( ( rc = x509_parse_serial ( cert, &cursor ) ) != 0 )
961 return rc;
962 asn1_skip_any ( &cursor );
963
964 /* Parse signature */
965 if ( ( rc = asn1_signature_algorithm ( &cursor, algorithm ) ) != 0 ) {
966 DBGC ( cert, "X509 %p could not parse signature algorithm: "
967 "%s\n", cert, strerror ( rc ) );
968 return rc;
969 }
970 DBGC2 ( cert, "X509 %p tbsCertificate signature algorithm is %s\n",
971 cert, (*algorithm)->name );
972 asn1_skip_any ( &cursor );
973
974 /* Parse issuer */
975 if ( ( rc = x509_parse_issuer ( cert, &cursor ) ) != 0 )
976 return rc;
977 asn1_skip_any ( &cursor );
978
979 /* Parse validity */
980 if ( ( rc = x509_parse_validity ( cert, &cursor ) ) != 0 )
981 return rc;
982 asn1_skip_any ( &cursor );
983
984 /* Parse subject */
985 if ( ( rc = x509_parse_subject ( cert, &cursor ) ) != 0 )
986 return rc;
987 asn1_skip_any ( &cursor );
988
989 /* Parse subjectPublicKeyInfo */
990 if ( ( rc = x509_parse_public_key ( cert, &cursor ) ) != 0 )
991 return rc;
992 asn1_skip_any ( &cursor );
993
994 /* Parse extensions, if present */
995 if ( ( rc = x509_parse_extensions ( cert, &cursor ) ) != 0 )
996 return rc;
997
998 return 0;
999}
asn1_signature_algorithm
int asn1_signature_algorithm(const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm)
Parse ASN.1 OID-identified signature algorithm.
Definition asn1.c:624
x509_certificate::tbs
struct asn1_cursor tbs
Raw tbsCertificate.
Definition x509.h:237
x509_certificate::signature_algorithm
struct asn1_algorithm * signature_algorithm
Signature algorithm.
Definition x509.h:239
x509_parse_issuer
static int x509_parse_issuer(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate issuer.
Definition x509.c:249
x509_parse_version
static int x509_parse_version(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate version.
Definition x509.c:184
x509_parse_serial
static int x509_parse_serial(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate serial number.
Definition x509.c:224
x509_parse_extensions
static int x509_parse_extensions(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate extensions, if present.
Definition x509.c:911
x509_parse_validity
static int x509_parse_validity(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate validity.
Definition x509.c:274
x509_parse_public_key
static int x509_parse_public_key(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate public key information.
Definition x509.c:392
x509_parse_subject
static int x509_parse_subject(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate subject.
Definition x509.c:365

References algorithm, asn1_enter(), ASN1_EXPLICIT_TAG, ASN1_SEQUENCE, asn1_shrink_any(), asn1_signature_algorithm(), asn1_skip_any(), asn1_type(), DBGC, DBGC2, memcpy(), raw, rc, x509_certificate::signature_algorithm, strerror(), x509_certificate::tbs, x509_parse_extensions(), x509_parse_issuer(), x509_parse_public_key(), x509_parse_serial(), x509_parse_subject(), x509_parse_validity(), and x509_parse_version().

Referenced by x509_parse().

◆ x509_parse()

int x509_parse ( struct x509_certificate * cert,
const struct asn1_cursor * raw )

Parse X.509 certificate from ASN.1 data.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 1008 of file x509.c.

1009 {
1010 struct x509_signature *signature = &cert->signature;
1011 struct asn1_algorithm **signature_algorithm = &signature->algorithm;
1012 struct asn1_cursor *signature_value = &signature->value;
1013 struct asn1_cursor cursor;
1014 int rc;
1015
1016 /* Record raw certificate */
1017 memcpy ( &cursor, raw, sizeof ( cursor ) );
1018 memcpy ( &cert->raw, &cursor, sizeof ( cert->raw ) );
1019
1020 /* Enter certificate */
1021 asn1_enter ( &cursor, ASN1_SEQUENCE );
1022
1023 /* Parse tbsCertificate */
1024 if ( ( rc = x509_parse_tbscertificate ( cert, &cursor ) ) != 0 )
1025 return rc;
1026 asn1_skip_any ( &cursor );
1027
1028 /* Parse signatureAlgorithm */
1029 if ( ( rc = asn1_signature_algorithm ( &cursor,
1030 signature_algorithm ) ) != 0 ) {
1031 DBGC ( cert, "X509 %p could not parse signature algorithm: "
1032 "%s\n", cert, strerror ( rc ) );
1033 return rc;
1034 }
1035 DBGC2 ( cert, "X509 %p signatureAlgorithm is %s\n",
1036 cert, (*signature_algorithm)->name );
1037 asn1_skip_any ( &cursor );
1038
1039 /* Parse signatureValue */
1040 memcpy ( signature_value, &cursor, sizeof ( *signature_value ) );
1041 if ( ( rc = asn1_enter_bits ( signature_value, NULL ) ) != 0 ) {
1042 DBGC ( cert, "X509 %p could not parse signature value: %s\n",
1043 cert, strerror ( rc ) );
1044 return rc;
1045 }
1046 DBGC2 ( cert, "X509 %p signatureValue is:\n", cert );
1047 DBGC2_HDA ( cert, 0, signature_value->data, signature_value->len );
1048
1049 /* Check that algorithm in tbsCertificate matches algorithm in
1050 * signature
1051 */
1052 if ( signature->algorithm != (*signature_algorithm) ) {
1053 DBGC ( cert, "X509 %p signature algorithm %s does not match "
1054 "signatureAlgorithm %s\n",
1055 cert, signature->algorithm->name,
1056 (*signature_algorithm)->name );
1057 return -EINVAL_ALGORITHM_MISMATCH;
1058 }
1059
1060 return 0;
1061}
signature
u8 signature
CPU signature.
Definition CIB_PRM.h:7
x509_certificate::signature
struct x509_signature signature
Signature.
Definition x509.h:247
x509_certificate::raw
struct asn1_cursor raw
Raw certificate.
Definition x509.h:231
x509_signature
An X.509 certificate signature.
Definition x509.h:70
x509_parse_tbscertificate
static int x509_parse_tbscertificate(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate tbsCertificate.
Definition x509.c:938
EINVAL_ALGORITHM_MISMATCH
#define EINVAL_ALGORITHM_MISMATCH
Definition x509.c:71

References asn1_enter(), asn1_enter_bits(), ASN1_SEQUENCE, asn1_signature_algorithm(), asn1_skip_any(), asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, EINVAL_ALGORITHM_MISMATCH, asn1_cursor::len, memcpy(), NULL, raw, x509_certificate::raw, rc, signature, x509_certificate::signature, strerror(), and x509_parse_tbscertificate().

Referenced by certstore_init(), and x509_certificate().

◆ x509_certificate()

int x509_certificate ( const void * data,
size_t len,
struct x509_certificate ** cert )

Create X.509 certificate.

Parameters
dataRaw certificate data
lenLength of raw data
Return values
certX.509 certificate
rcReturn status code

On success, the caller holds a reference to the X.509 certificate, and is responsible for ultimately calling x509_put().

Definition at line 1074 of file x509.c.

1075 {
1076 struct asn1_cursor cursor;
1077 void *raw;
1078 int rc;
1079
1080 /* Initialise cursor */
1081 cursor.data = data;
1082 cursor.len = len;
1083 asn1_shrink_any ( &cursor );
1084
1085 /* Return stored certificate, if present */
1086 if ( ( *cert = x509_find ( NULL, &cursor ) ) != NULL ) {
1087
1088 /* Add caller's reference */
1089 x509_get ( *cert );
1090 return 0;
1091 }
1092
1093 /* Allocate and initialise certificate */
1094 *cert = zalloc ( sizeof ( **cert ) + cursor.len );
1095 if ( ! *cert )
1096 return -ENOMEM;
1097 ref_init ( &(*cert)->refcnt, x509_free );
1098 raw = ( *cert + 1 );
1099
1100 /* Copy raw data */
1101 memcpy ( raw, cursor.data, cursor.len );
1102 cursor.data = raw;
1103
1104 /* Parse certificate */
1105 if ( ( rc = x509_parse ( *cert, &cursor ) ) != 0 ) {
1106 x509_put ( *cert );
1107 *cert = NULL;
1108 return rc;
1109 }
1110
1111 /* Add certificate to store */
1112 certstore_add ( *cert );
1113
1114 return 0;
1115}
certstore_add
void certstore_add(struct x509_certificate *cert)
Add certificate to store.
Definition certstore.c:101
data
uint8_t data[48]
Additional event data.
Definition ena.h:11
ENOMEM
#define ENOMEM
Not enough space.
Definition errno.h:535
zalloc
void * zalloc(size_t size)
Allocate cleared memory.
Definition malloc.c:662
ref_init
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition refcnt.h:65
x509_parse
int x509_parse(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate from ASN.1 data.
Definition x509.c:1008
x509_free
static void x509_free(struct refcnt *refcnt)
Free X.509 certificate.
Definition x509.c:133
x509_find
struct x509_certificate * x509_find(struct x509_chain *store, const struct asn1_cursor *raw)
Identify X.509 certificate by raw certificate data.
Definition x509.c:1746
x509_get
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
Definition x509.h:267
x509_put
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition x509.h:278

References asn1_shrink_any(), certstore_add(), asn1_cursor::data, data, ENOMEM, asn1_cursor::len, len, memcpy(), NULL, raw, rc, ref_init, x509_find(), x509_free(), x509_get(), x509_parse(), x509_put(), and zalloc().

◆ x509_check_signature()

int x509_check_signature ( struct x509_certificate * cert,
struct x509_public_key * public_key )
static

Check X.509 certificate signature.

Parameters
certX.509 certificate
public_keyX.509 public key
Return values
rcReturn status code

Definition at line 1124 of file x509.c.

1125 {
1126 struct x509_signature *signature = &cert->signature;
1127 struct asn1_algorithm *algorithm = signature->algorithm;
1128 struct digest_algorithm *digest = algorithm->digest;
1129 struct pubkey_algorithm *pubkey = algorithm->pubkey;
1130 uint8_t digest_ctx[ digest->ctxsize ];
1131 uint8_t digest_out[ digest->digestsize ];
1132 int rc;
1133
1134 /* Sanity check */
1135 assert ( cert->signature_algorithm == cert->signature.algorithm );
1136
1137 /* Calculate certificate digest */
1138 digest_init ( digest, digest_ctx );
1139 digest_update ( digest, digest_ctx, cert->tbs.data, cert->tbs.len );
1140 digest_final ( digest, digest_ctx, digest_out );
1141 DBGC2 ( cert, "X509 %p \"%s\" digest:\n", cert, x509_name ( cert ) );
1142 DBGC2_HDA ( cert, 0, digest_out, sizeof ( digest_out ) );
1143
1144 /* Check that signature public key algorithm matches signer */
1145 if ( public_key->algorithm->pubkey != pubkey ) {
1146 DBGC ( cert, "X509 %p \"%s\" signature algorithm %s does not "
1147 "match signer's algorithm %s\n",
1148 cert, x509_name ( cert ), algorithm->name,
1149 public_key->algorithm->name );
1150 rc = -EINVAL_ALGORITHM_MISMATCH;
1151 goto err_mismatch;
1152 }
1153
1154 /* Verify signature using signer's public key */
1155 if ( ( rc = pubkey_verify ( pubkey, &public_key->raw, digest,
1156 digest_out, &signature->value ) ) != 0 ) {
1157 DBGC ( cert, "X509 %p \"%s\" signature verification failed: "
1158 "%s\n", cert, x509_name ( cert ), strerror ( rc ) );
1159 goto err_pubkey_verify;
1160 }
1161
1162 /* Success */
1163 rc = 0;
1164
1165 err_pubkey_verify:
1166 err_mismatch:
1167 return rc;
1168}
assert
#define assert(condition)
Assert a condition at run-time.
Definition assert.h:50
digest_init
static void digest_init(struct digest_algorithm *digest, void *ctx)
Definition crypto.h:219
digest_final
static void digest_final(struct digest_algorithm *digest, void *ctx, void *out)
Definition crypto.h:230
pubkey_verify
static int pubkey_verify(struct pubkey_algorithm *pubkey, const struct asn1_cursor *key, struct digest_algorithm *digest, const void *value, const struct asn1_cursor *signature)
Definition crypto.h:308
digest_update
static void digest_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Definition crypto.h:224
asn1_algorithm::name
const char * name
Name.
Definition asn1.h:410
asn1_algorithm::pubkey
struct pubkey_algorithm * pubkey
Public-key algorithm (if applicable)
Definition asn1.h:414
digest_algorithm::ctxsize
size_t ctxsize
Context size.
Definition crypto.h:23
pubkey_algorithm
A public key algorithm.
Definition crypto.h:122
x509_signature::algorithm
struct asn1_algorithm * algorithm
Signature algorithm.
Definition x509.h:72

References algorithm, x509_public_key::algorithm, x509_signature::algorithm, assert, digest_algorithm::ctxsize, asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, digest_final(), digest_init(), digest_update(), digest_algorithm::digestsize, EINVAL_ALGORITHM_MISMATCH, asn1_cursor::len, asn1_algorithm::name, asn1_algorithm::pubkey, pubkey_verify(), x509_public_key::raw, rc, signature, x509_certificate::signature, x509_certificate::signature_algorithm, strerror(), x509_certificate::tbs, and x509_name().

Referenced by x509_check_issuer().

◆ x509_check_issuer()

int x509_check_issuer ( struct x509_certificate * cert,
struct x509_certificate * issuer )

Check X.509 certificate against issuer certificate.

Parameters
certX.509 certificate
issuerX.509 issuer certificate
Return values
rcReturn status code

Definition at line 1177 of file x509.c.

1178 {
1179 struct x509_public_key *public_key = &issuer->subject.public_key;
1180 int rc;
1181
1182 /* Check issuer. In theory, this should be a full X.500 DN
1183 * comparison, which would require support for a plethora of
1184 * abominations such as TeletexString (which allows the
1185 * character set to be changed mid-string using escape codes).
1186 * In practice, we assume that anyone who deliberately changes
1187 * the encoding of the issuer DN is probably a masochist who
1188 * will rather enjoy the process of figuring out exactly why
1189 * their certificate doesn't work.
1190 *
1191 * See http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
1192 * for some enjoyable ranting on this subject.
1193 */
1194 if ( asn1_compare ( &cert->issuer.raw, &issuer->subject.raw ) != 0 ) {
1195 DBGC ( cert, "X509 %p \"%s\" issuer does not match ",
1196 cert, x509_name ( cert ) );
1197 DBGC ( cert, "X509 %p \"%s\" subject\n",
1198 issuer, x509_name ( issuer ) );
1199 DBGC_HDA ( cert, 0, cert->issuer.raw.data,
1200 cert->issuer.raw.len );
1201 DBGC_HDA ( issuer, 0, issuer->subject.raw.data,
1202 issuer->subject.raw.len );
1203 return -EACCES_WRONG_ISSUER;
1204 }
1205
1206 /* Check that issuer is allowed to sign certificates */
1207 if ( ! issuer->extensions.basic.ca ) {
1208 DBGC ( issuer, "X509 %p \"%s\" cannot sign ",
1209 issuer, x509_name ( issuer ) );
1210 DBGC ( issuer, "X509 %p \"%s\": not a CA certificate\n",
1211 cert, x509_name ( cert ) );
1212 return -EACCES_NOT_CA;
1213 }
1214 if ( issuer->extensions.usage.present &&
1215 ( ! ( issuer->extensions.usage.bits & X509_KEY_CERT_SIGN ) ) ) {
1216 DBGC ( issuer, "X509 %p \"%s\" cannot sign ",
1217 issuer, x509_name ( issuer ) );
1218 DBGC ( issuer, "X509 %p \"%s\": no keyCertSign usage\n",
1219 cert, x509_name ( cert ) );
1220 return -EACCES_KEY_USAGE;
1221 }
1222
1223 /* Check signature */
1224 if ( ( rc = x509_check_signature ( cert, public_key ) ) != 0 )
1225 return rc;
1226
1227 return 0;
1228}
EACCES_NOT_CA
#define EACCES_NOT_CA
Definition x509.c:87
EACCES_WRONG_ISSUER
#define EACCES_WRONG_ISSUER
Definition x509.c:83
x509_check_signature
static int x509_check_signature(struct x509_certificate *cert, struct x509_public_key *public_key)
Check X.509 certificate signature.
Definition x509.c:1124
EACCES_KEY_USAGE
#define EACCES_KEY_USAGE
Definition x509.c:91
X509_KEY_CERT_SIGN
@ X509_KEY_CERT_SIGN
Definition x509.h:107

References asn1_compare(), x509_extensions::basic, x509_key_usage::bits, x509_basic_constraints::ca, asn1_cursor::data, DBGC, DBGC_HDA, EACCES_KEY_USAGE, EACCES_NOT_CA, EACCES_WRONG_ISSUER, x509_certificate::extensions, x509_certificate::issuer, asn1_cursor::len, x509_key_usage::present, x509_subject::public_key, x509_issuer::raw, x509_subject::raw, rc, x509_certificate::subject, x509_extensions::usage, x509_check_signature(), X509_KEY_CERT_SIGN, and x509_name().

Referenced by x509_check_issuer_fail_okx(), x509_check_issuer_okx(), and x509_validate().

◆ x509_fingerprint()

void x509_fingerprint ( struct x509_certificate * cert,
struct digest_algorithm * digest,
void * fingerprint )

Calculate X.509 certificate fingerprint.

Parameters
certX.509 certificate
digestDigest algorithm
fingerprintFingerprint buffer

Definition at line 1237 of file x509.c.

1239 {
1240 uint8_t ctx[ digest->ctxsize ];
1241
1242 /* Calculate fingerprint */
1243 digest_init ( digest, ctx );
1244 digest_update ( digest, ctx, cert->raw.data, cert->raw.len );
1245 digest_final ( digest, ctx, fingerprint );
1246}
ctx
struct golan_eq_context ctx
Definition CIB_PRM.h:0

References ctx, digest_algorithm::ctxsize, asn1_cursor::data, digest_final(), digest_init(), digest_update(), asn1_cursor::len, and x509_certificate::raw.

Referenced by certstat(), icert_certs(), x509_check_root(), x509_fingerprint_okx(), and x509_name().

◆ x509_check_root()

int x509_check_root ( struct x509_certificate * cert,
struct x509_root * root )

Check X.509 root certificate.

Parameters
certX.509 certificate
rootX.509 root certificate list
Return values
rcReturn status code

Definition at line 1255 of file x509.c.

1255 {
1256 struct digest_algorithm *digest = root->digest;
1257 uint8_t fingerprint[ digest->digestsize ];
1258 const uint8_t *root_fingerprint = root->fingerprints;
1259 unsigned int i;
1260
1261 /* Calculate certificate fingerprint */
1262 x509_fingerprint ( cert, digest, fingerprint );
1263
1264 /* Check fingerprint against all root certificates */
1265 for ( i = 0 ; i < root->count ; i++ ) {
1266 if ( memcmp ( fingerprint, root_fingerprint,
1267 sizeof ( fingerprint ) ) == 0 ) {
1268 DBGC ( cert, "X509 %p \"%s\" is a root certificate\n",
1269 cert, x509_name ( cert ) );
1270 return 0;
1271 }
1272 root_fingerprint += sizeof ( fingerprint );
1273 }
1274
1275 DBGC2 ( cert, "X509 %p \"%s\" is not a root certificate\n",
1276 cert, x509_name ( cert ) );
1277 return -ENOENT;
1278}
ENOENT
#define ENOENT
No such file or directory.
Definition errno.h:515
root
struct stp_switch root
Root switch.
Definition stp.h:15
memcmp
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition string.c:115

References DBGC, DBGC2, digest_algorithm::digestsize, ENOENT, memcmp(), root, x509_fingerprint(), and x509_name().

Referenced by x509_check_root_fail_okx(), x509_check_root_okx(), and x509_validate().

◆ x509_check_time()

int x509_check_time ( struct x509_certificate * cert,
time_t time )

Check X.509 certificate validity period.

Parameters
certX.509 certificate
timeTime at which to check certificate
Return values
rcReturn status code

Definition at line 1287 of file x509.c.

1287 {
1288 struct x509_validity *validity = &cert->validity;
1289
1290 /* Check validity period */
1291 if ( validity->not_before.time > ( time + TIMESTAMP_ERROR_MARGIN ) ) {
1292 DBGC ( cert, "X509 %p \"%s\" is not yet valid (at time %lld)\n",
1293 cert, x509_name ( cert ), time );
1294 return -EACCES_EXPIRED;
1295 }
1296 if ( validity->not_after.time < ( time - TIMESTAMP_ERROR_MARGIN ) ) {
1297 DBGC ( cert, "X509 %p \"%s\" has expired (at time %lld)\n",
1298 cert, x509_name ( cert ), time );
1299 return -EACCES_EXPIRED;
1300 }
1301
1302 DBGC2 ( cert, "X509 %p \"%s\" is valid (at time %lld)\n",
1303 cert, x509_name ( cert ), time );
1304 return 0;
1305}
TIMESTAMP_ERROR_MARGIN
#define TIMESTAMP_ERROR_MARGIN
Margin of error (in seconds) allowed in signed timestamps.
Definition crypto.h:79
EACCES_EXPIRED
#define EACCES_EXPIRED
Definition x509.c:95

References DBGC, DBGC2, EACCES_EXPIRED, x509_validity::not_after, x509_validity::not_before, x509_time::time, TIMESTAMP_ERROR_MARGIN, x509_certificate::validity, and x509_name().

Referenced by x509_check_time_fail_okx(), x509_check_time_okx(), and x509_validate().

◆ x509_is_valid()

int x509_is_valid ( struct x509_certificate * cert,
struct x509_root * root )

Check if X.509 certificate is valid.

Parameters
certX.509 certificate
rootRoot certificate list, or NULL to use default

Definition at line 1313 of file x509.c.

1313 {
1314
1315 /* Use default root certificate store if none specified */
1316 if ( ! root )
1317 root = &root_certificates;
1318
1319 return ( cert->root == root );
1320}
root_certificates
struct x509_root root_certificates
Root certificates.
Definition rootcert.c:79

References root, x509_certificate::root, and root_certificates.

Referenced by certstat(), ipair_window_changed(), validator_step(), x509_validate(), and x509_validate_chain_okx().

◆ x509_set_valid()

void x509_set_valid ( struct x509_certificate * cert,
struct x509_certificate * issuer,
struct x509_root * root )

Set X.509 certificate as validated.

Parameters
certX.509 certificate
issuerIssuing X.509 certificate (or NULL)
rootRoot certificate list

Definition at line 1329 of file x509.c.

1331 {
1332 unsigned int max_path_remaining;
1333
1334 /* Sanity checks */
1335 assert ( root != NULL );
1336 assert ( ( issuer == NULL ) || ( issuer->path_remaining >= 1 ) );
1337
1338 /* Record validation root */
1339 x509_root_put ( cert->root );
1340 cert->root = x509_root_get ( root );
1341
1342 /* Calculate effective path length */
1343 cert->path_remaining = ( cert->extensions.basic.path_len + 1 );
1344 if ( issuer ) {
1345 max_path_remaining = ( issuer->path_remaining - 1 );
1346 if ( cert->path_remaining > max_path_remaining )
1347 cert->path_remaining = max_path_remaining;
1348 }
1349}
x509_certificate::path_remaining
unsigned int path_remaining
Maximum number of subsequent certificates in chain.
Definition x509.h:228
x509_root_get
static struct x509_root * x509_root_get(struct x509_root *root)
Get reference to X.509 root certificate list.
Definition x509.h:393

References assert, x509_extensions::basic, x509_certificate::extensions, NULL, x509_basic_constraints::path_len, x509_certificate::path_remaining, root, x509_certificate::root, x509_root_get(), and x509_root_put().

Referenced by efi_cacert(), and x509_validate().

◆ x509_validate()

int x509_validate ( struct x509_certificate * cert,
struct x509_certificate * issuer,
time_t time,
struct x509_root * root )

Validate X.509 certificate.

Parameters
certX.509 certificate
issuerIssuing X.509 certificate (or NULL)
timeTime at which to validate certificate
rootRoot certificate list, or NULL to use default
Return values
rcReturn status code

The issuing certificate must have already been validated.

Validation results are cached: if a certificate has already been successfully validated then issuer, time, and root will be ignored.

Definition at line 1366 of file x509.c.

1368 {
1369 int rc;
1370
1371 /* Use default root certificate store if none specified */
1372 if ( ! root )
1373 root = &root_certificates;
1374
1375 /* Return success if certificate has already been validated */
1376 if ( x509_is_valid ( cert, root ) )
1377 return 0;
1378
1379 /* Fail if certificate is invalid at specified time */
1380 if ( ( rc = x509_check_time ( cert, time ) ) != 0 )
1381 return rc;
1382
1383 /* Succeed if certificate is a trusted root certificate */
1384 if ( x509_check_root ( cert, root ) == 0 ) {
1385 x509_set_valid ( cert, NULL, root );
1386 return 0;
1387 }
1388
1389 /* Fail unless we have an issuer */
1390 if ( ! issuer ) {
1391 DBGC2 ( cert, "X509 %p \"%s\" has no trusted issuer\n",
1392 cert, x509_name ( cert ) );
1393 return -EACCES_UNTRUSTED;
1394 }
1395
1396 /* Fail unless issuer has already been validated */
1397 if ( ! x509_is_valid ( issuer, root ) ) {
1398 DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
1399 DBGC ( cert, "issuer %p \"%s\" has not yet been validated\n",
1400 issuer, x509_name ( issuer ) );
1401 return -EACCES_OUT_OF_ORDER;
1402 }
1403
1404 /* Fail if issuing certificate cannot validate this certificate */
1405 if ( ( rc = x509_check_issuer ( cert, issuer ) ) != 0 )
1406 return rc;
1407
1408 /* Fail if path length constraint is violated */
1409 if ( issuer->path_remaining == 0 ) {
1410 DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
1411 DBGC ( cert, "issuer %p \"%s\" path length exceeded\n",
1412 issuer, x509_name ( issuer ) );
1413 return -EACCES_PATH_LEN;
1414 }
1415
1416 /* Fail if OCSP is required */
1417 if ( ocsp_required ( cert ) ) {
1418 DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
1419 cert, x509_name ( cert ) );
1420 return -EACCES_OCSP_REQUIRED;
1421 }
1422
1423 /* Mark certificate as valid */
1424 x509_set_valid ( cert, issuer, root );
1425
1426 DBGC ( cert, "X509 %p \"%s\" successfully validated using ",
1427 cert, x509_name ( cert ) );
1428 DBGC ( cert, "issuer %p \"%s\"\n", issuer, x509_name ( issuer ) );
1429 return 0;
1430}
EACCES_UNTRUSTED
#define EACCES_UNTRUSTED
Definition image.c:49
ocsp_required
static int ocsp_required(struct x509_certificate *cert)
Check if X.509 certificate requires an OCSP check.
Definition ocsp.h:129
EACCES_OCSP_REQUIRED
#define EACCES_OCSP_REQUIRED
Definition x509.c:115
x509_check_root
int x509_check_root(struct x509_certificate *cert, struct x509_root *root)
Check X.509 root certificate.
Definition x509.c:1255
x509_check_issuer
int x509_check_issuer(struct x509_certificate *cert, struct x509_certificate *issuer)
Check X.509 certificate against issuer certificate.
Definition x509.c:1177
EACCES_PATH_LEN
#define EACCES_PATH_LEN
Definition x509.c:99
x509_is_valid
int x509_is_valid(struct x509_certificate *cert, struct x509_root *root)
Check if X.509 certificate is valid.
Definition x509.c:1313
EACCES_OUT_OF_ORDER
#define EACCES_OUT_OF_ORDER
Definition x509.c:107
x509_check_time
int x509_check_time(struct x509_certificate *cert, time_t time)
Check X.509 certificate validity period.
Definition x509.c:1287
x509_set_valid
void x509_set_valid(struct x509_certificate *cert, struct x509_certificate *issuer, struct x509_root *root)
Set X.509 certificate as validated.
Definition x509.c:1329

References DBGC, DBGC2, EACCES_OCSP_REQUIRED, EACCES_OUT_OF_ORDER, EACCES_PATH_LEN, EACCES_UNTRUSTED, NULL, ocsp_required(), x509_certificate::path_remaining, rc, root, root_certificates, x509_check_issuer(), x509_check_root(), x509_check_time(), x509_is_valid(), x509_name(), and x509_set_valid().

Referenced by ocsp_validate(), REQUIRING_SYMBOL(), and x509_validate_chain().

◆ x509_check_dnsname()

int x509_check_dnsname ( struct x509_certificate * cert,
const struct asn1_cursor * raw,
const char * name )
static

Check X.509 certificate alternative dNSName.

Parameters
certX.509 certificate
rawASN.1 cursor
nameName
Return values
rcReturn status code

Definition at line 1440 of file x509.c.

1442 {
1443 const char *fullname = name;
1444 const char *dnsname = raw->data;
1445 size_t len = raw->len;
1446
1447 /* Check for wildcards */
1448 if ( ( len >= 2 ) && ( dnsname[0] == '*' ) && ( dnsname[1] == '.' ) ) {
1449
1450 /* Skip initial "*." */
1451 dnsname += 2;
1452 len -= 2;
1453
1454 /* Skip initial portion of name to be tested */
1455 name = strchr ( name, '.' );
1456 if ( ! name )
1457 return -ENOENT;
1458 name++;
1459 }
1460
1461 /* Compare names */
1462 if ( ! ( ( strlen ( name ) == len ) &&
1463 ( strncasecmp ( name, dnsname, len ) == 0 ) ) )
1464 return -ENOENT;
1465
1466 if ( name != fullname ) {
1467 DBGC2 ( cert, "X509 %p \"%s\" found wildcard match for "
1468 "\"*.%s\"\n", cert, x509_name ( cert ), name );
1469 }
1470 return 0;
1471}
name
const char * name
Definition ath9k_hw.c:1986
strchr
char * strchr(const char *src, int character)
Find character within a string.
Definition string.c:272
strncasecmp
int strncasecmp(const char *first, const char *second, size_t max)
Compare case-insensitive strings.
Definition string.c:222
strlen
size_t strlen(const char *src)
Get length of string.
Definition string.c:244

References DBGC2, ENOENT, len, name, raw, strchr(), strlen(), strncasecmp(), and x509_name().

Referenced by x509_check_alt_name(), and x509_check_name().

◆ x509_check_ipaddress()

int x509_check_ipaddress ( struct x509_certificate * cert,
const struct asn1_cursor * raw,
const char * name )
static

Check X.509 certificate alternative iPAddress.

Parameters
certX.509 certificate
rawASN.1 cursor
nameName
Return values
rcReturn status code

Definition at line 1481 of file x509.c.

1483 {
1484 struct sockaddr sa;
1485 sa_family_t family;
1486 const void *address;
1487 int rc;
1488
1489 /* Determine address family */
1490 if ( raw->len == sizeof ( struct in_addr ) ) {
1491 struct sockaddr_in *sin = ( ( struct sockaddr_in * ) &sa );
1492 family = AF_INET;
1493 address = &sin->sin_addr;
1494 } else if ( raw->len == sizeof ( struct in6_addr ) ) {
1495 struct sockaddr_in6 *sin6 = ( ( struct sockaddr_in6 * ) &sa );
1496 family = AF_INET6;
1497 address = &sin6->sin6_addr;
1498 } else {
1499 DBGC ( cert, "X509 %p \"%s\" has iPAddress with unexpected "
1500 "length %zd\n", cert, x509_name ( cert ), raw->len );
1501 DBGC_HDA ( cert, 0, raw->data, raw->len );
1502 return -EINVAL;
1503 }
1504
1505 /* Attempt to convert name to a socket address */
1506 if ( ( rc = sock_aton ( name, &sa ) ) != 0 ) {
1507 DBGC2 ( cert, "X509 %p \"%s\" cannot parse \"%s\" as "
1508 "iPAddress: %s\n", cert, x509_name ( cert ), name,
1509 strerror ( rc ) );
1510 return rc;
1511 }
1512 if ( sa.sa_family != family )
1513 return -ENOENT;
1514
1515 /* Compare addresses */
1516 if ( memcmp ( address, raw->data, raw->len ) != 0 )
1517 return -ENOENT;
1518
1519 DBGC2 ( cert, "X509 %p \"%s\" found iPAddress match for \"%s\"\n",
1520 cert, x509_name ( cert ), sock_ntoa ( &sa ) );
1521 return 0;
1522}
address
uint64_t address
Base address.
Definition ena.h:13
AF_INET
#define AF_INET
IPv4 Internet addresses.
Definition socket.h:64
AF_INET6
#define AF_INET6
IPv6 Internet addresses.
Definition socket.h:65
sock_aton
int sock_aton(const char *string, struct sockaddr *sa)
Parse socket address.
Definition socket.c:60
sock_ntoa
const char * sock_ntoa(struct sockaddr *sa)
Transcribe socket address.
Definition socket.c:43
sa_family_t
uint16_t sa_family_t
A socket address family.
Definition socket.h:86
in6_addr
IP6 address structure.
Definition in.h:51
in_addr
IP address structure.
Definition in.h:42
sockaddr_in6
IPv6 socket address.
Definition in.h:118
sockaddr_in
IPv4 socket address.
Definition in.h:85
sockaddr
Generalized socket address structure.
Definition socket.h:97
sin6
struct sockaddr_in6 sin6
Definition syslog.c:60
sa
struct sockaddr sa
Definition syslog.c:57
sin
struct sockaddr_in sin
Definition syslog.c:59

References address, AF_INET, AF_INET6, DBGC, DBGC2, DBGC_HDA, EINVAL, ENOENT, memcmp(), name, raw, rc, sa, sin, sin6, sock_aton(), sock_ntoa(), strerror(), and x509_name().

Referenced by x509_check_alt_name().

◆ x509_check_alt_name()

int x509_check_alt_name ( struct x509_certificate * cert,
const struct asn1_cursor * raw,
const char * name )
static

Check X.509 certificate alternative name.

Parameters
certX.509 certificate
rawASN.1 cursor
nameName
Return values
rcReturn status code

Definition at line 1532 of file x509.c.

1534 {
1535 struct asn1_cursor alt_name;
1536 unsigned int type;
1537
1538 /* Enter generalName */
1539 memcpy ( &alt_name, raw, sizeof ( alt_name ) );
1540 type = asn1_type ( &alt_name );
1541 asn1_enter_any ( &alt_name );
1542
1543 /* Check this name */
1544 switch ( type ) {
1545 case X509_GENERAL_NAME_DNS :
1546 return x509_check_dnsname ( cert, &alt_name, name );
1547 case X509_GENERAL_NAME_IP :
1548 return x509_check_ipaddress ( cert, &alt_name, name );
1549 default:
1550 DBGC2 ( cert, "X509 %p \"%s\" unknown name of type %#02x:\n",
1551 cert, x509_name ( cert ), type );
1552 DBGC2_HDA ( cert, 0, alt_name.data, alt_name.len );
1553 return -ENOTSUP;
1554 }
1555}
type
uint32_t type
Operating system type.
Definition ena.h:1
ENOTSUP
#define ENOTSUP
Operation not supported.
Definition errno.h:590
x509_check_dnsname
static int x509_check_dnsname(struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
Check X.509 certificate alternative dNSName.
Definition x509.c:1440
x509_check_ipaddress
static int x509_check_ipaddress(struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
Check X.509 certificate alternative iPAddress.
Definition x509.c:1481
X509_GENERAL_NAME_DNS
@ X509_GENERAL_NAME_DNS
Definition x509.h:151
X509_GENERAL_NAME_IP
@ X509_GENERAL_NAME_IP
Definition x509.h:153

References asn1_enter_any(), asn1_type(), asn1_cursor::data, DBGC2, DBGC2_HDA, ENOTSUP, asn1_cursor::len, memcpy(), name, raw, type, x509_check_dnsname(), x509_check_ipaddress(), X509_GENERAL_NAME_DNS, X509_GENERAL_NAME_IP, and x509_name().

Referenced by x509_check_name().

◆ x509_check_name()

int x509_check_name ( struct x509_certificate * cert,
const char * name )

Check X.509 certificate name.

Parameters
certX.509 certificate
nameName
Return values
rcReturn status code

Definition at line 1564 of file x509.c.

1564 {
1565 struct asn1_cursor *common_name = &cert->subject.common_name;
1566 struct asn1_cursor alt_name;
1567 int rc;
1568
1569 /* Check commonName */
1570 if ( x509_check_dnsname ( cert, common_name, name ) == 0 ) {
1571 DBGC2 ( cert, "X509 %p \"%s\" commonName matches \"%s\"\n",
1572 cert, x509_name ( cert ), name );
1573 return 0;
1574 }
1575
1576 /* Check any subjectAlternativeNames */
1577 memcpy ( &alt_name, &cert->extensions.alt_name.names,
1578 sizeof ( alt_name ) );
1579 for ( ; alt_name.len ; asn1_skip_any ( &alt_name ) ) {
1580 if ( ( rc = x509_check_alt_name ( cert, &alt_name,
1581 name ) ) == 0 ) {
1582 DBGC2 ( cert, "X509 %p \"%s\" subjectAltName matches "
1583 "\"%s\"\n", cert, x509_name ( cert ), name );
1584 return 0;
1585 }
1586 }
1587
1588 DBGC ( cert, "X509 %p \"%s\" does not match name \"%s\"\n",
1589 cert, x509_name ( cert ), name );
1590 return -EACCES_WRONG_NAME;
1591}
EACCES_WRONG_NAME
#define EACCES_WRONG_NAME
Definition cms.c:55
x509_check_alt_name
static int x509_check_alt_name(struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
Check X.509 certificate alternative name.
Definition x509.c:1532

References x509_extensions::alt_name, asn1_skip_any(), x509_subject::common_name, DBGC, DBGC2, EACCES_WRONG_NAME, x509_certificate::extensions, asn1_cursor::len, memcpy(), name, x509_subject_alt_name::names, rc, x509_certificate::subject, x509_check_alt_name(), x509_check_dnsname(), and x509_name().

Referenced by cert_exec(), cms_verify(), tls_validator_done(), x509_check_name_fail_okx(), and x509_check_name_okx().

◆ x509_free_chain()

void x509_free_chain ( struct refcnt * refcnt)
static

Free X.509 certificate chain.

Parameters
refcntReference count

Definition at line 1598 of file x509.c.

1598 {
1599 struct x509_chain *chain =
1600 container_of ( refcnt, struct x509_chain, refcnt );
1601
1602 DBGC2 ( chain, "X509 chain %p freed\n", chain );
1603
1604 /* Free chain */
1605 x509_truncate ( chain, NULL );
1606 assert ( list_empty ( &chain->links ) );
1607 free ( chain );
1608}
list_empty
#define list_empty(list)
Test whether a list is empty.
Definition list.h:137
x509_chain
An X.509 certificate chain.
Definition x509.h:201
x509_chain::links
struct list_head links
List of links.
Definition x509.h:205
x509_truncate
void x509_truncate(struct x509_chain *chain, struct x509_link *link)
Truncate X.509 certificate chain.
Definition x509.c:1704

References assert, container_of, DBGC2, free, x509_chain::links, list_empty, NULL, and x509_truncate().

Referenced by x509_alloc_chain().

◆ x509_alloc_chain()

struct x509_chain * x509_alloc_chain ( void )

Allocate X.509 certificate chain.

Return values
chainX.509 certificate chain, or NULL

Definition at line 1615 of file x509.c.

1615 {
1616 struct x509_chain *chain;
1617
1618 /* Allocate chain */
1619 chain = zalloc ( sizeof ( *chain ) );
1620 if ( ! chain )
1621 return NULL;
1622
1623 /* Initialise chain */
1624 ref_init ( &chain->refcnt, x509_free_chain );
1625 INIT_LIST_HEAD ( &chain->links );
1626
1627 DBGC2 ( chain, "X509 chain %p allocated\n", chain );
1628 return chain;
1629}
INIT_LIST_HEAD
#define INIT_LIST_HEAD(list)
Initialise a list head.
Definition list.h:46
x509_chain::refcnt
struct refcnt refcnt
Reference count.
Definition x509.h:203
x509_free_chain
static void x509_free_chain(struct refcnt *refcnt)
Free X.509 certificate chain.
Definition x509.c:1598

References DBGC2, INIT_LIST_HEAD, x509_chain::links, NULL, ref_init, x509_chain::refcnt, x509_free_chain(), and zalloc().

Referenced by cms_parse_participants(), cms_parse_signed(), tls_new_certificate_request(), tls_parse_chain(), validator_append(), and x509_chain_okx().

◆ x509_append()

int x509_append ( struct x509_chain * chain,
struct x509_certificate * cert )

Append X.509 certificate to X.509 certificate chain.

Parameters
chainX.509 certificate chain
certX.509 certificate
Return values
rcReturn status code

Definition at line 1638 of file x509.c.

1638 {
1639 struct x509_link *link;
1640 int rc;
1641
1642 /* Ensure allocation of link cannot invalidate certificate */
1643 x509_get ( cert );
1644
1645 /* Allocate link */
1646 link = zalloc ( sizeof ( *link ) );
1647 if ( ! link ) {
1648 rc = -ENOMEM;
1649 goto err_alloc;
1650 }
1651
1652 /* Add link to chain */
1653 link->cert = x509_get ( cert );
1654 list_add_tail ( &link->list, &chain->links );
1655 DBGC ( chain, "X509 chain %p added X509 %p \"%s\"\n",
1656 chain, cert, x509_name ( cert ) );
1657
1658 /* Success */
1659 rc = 0;
1660
1661 x509_put ( cert );
1662 err_alloc:
1663 return rc;
1664}
link
u32 link
Link to next descriptor.
Definition ar9003_mac.h:1
list_add_tail
#define list_add_tail(new, head)
Add a new entry to the tail of a list.
Definition list.h:94
x509_link
A link in an X.509 certificate chain.
Definition x509.h:171
x509_link::cert
struct x509_certificate * cert
Certificate.
Definition x509.h:175

References x509_link::cert, DBGC, ENOMEM, link, x509_chain::links, list_add_tail, rc, x509_get(), x509_name(), x509_put(), and zalloc().

Referenced by cms_parse_identifier(), tls_new_certificate_request(), x509_append_raw(), x509_auto_append(), and x509_chain_okx().

◆ x509_append_raw()

int x509_append_raw ( struct x509_chain * chain,
const void * data,
size_t len )

Append X.509 certificate to X.509 certificate chain.

Parameters
chainX.509 certificate chain
dataRaw certificate data
lenLength of raw data
Return values
rcReturn status code

Definition at line 1674 of file x509.c.

1675 {
1676 struct x509_certificate *cert;
1677 int rc;
1678
1679 /* Parse certificate */
1680 if ( ( rc = x509_certificate ( data, len, &cert ) ) != 0 )
1681 goto err_parse;
1682
1683 /* Append certificate to chain */
1684 if ( ( rc = x509_append ( chain, cert ) ) != 0 )
1685 goto err_append;
1686
1687 /* Drop reference to certificate */
1688 x509_put ( cert );
1689
1690 return 0;
1691
1692 err_append:
1693 x509_put ( cert );
1694 err_parse:
1695 return rc;
1696}
x509_append
int x509_append(struct x509_chain *chain, struct x509_certificate *cert)
Append X.509 certificate to X.509 certificate chain.
Definition x509.c:1638

References data, len, rc, x509_append(), and x509_put().

Referenced by cms_parse_certificates(), efi_cacert(), tls_parse_chain(), and validator_append().

◆ x509_truncate()

void x509_truncate ( struct x509_chain * chain,
struct x509_link * link )

Truncate X.509 certificate chain.

Parameters
chainX.509 certificate chain
linkLink after which to truncate chain, or NULL

Definition at line 1704 of file x509.c.

1704 {
1705 struct x509_link *tmp;
1706
1707 /* Truncate entire chain if no link is specified */
1708 if ( ! link )
1709 link = list_entry ( &chain->links, struct x509_link, list );
1710
1711 /* Free each link in the chain */
1712 list_for_each_entry_safe_continue ( link, tmp, &chain->links, list ) {
1713 x509_put ( link->cert );
1714 list_del ( &link->list );
1715 free ( link );
1716 }
1717}
tmp
unsigned long tmp
Definition linux_pci.h:65
list_for_each_entry_safe_continue
#define list_for_each_entry_safe_continue(pos, tmp, head, member)
Iterate over subsequent entries in a list, safe against deletion.
Definition list.h:501
list_entry
#define list_entry(list, type, member)
Get the container of a list entry.
Definition list.h:322
list_del
#define list_del(list)
Delete an entry from a list.
Definition list.h:120
x509_link::list
struct list_head list
List of links.
Definition x509.h:173

References free, link, x509_chain::links, x509_link::list, list_del, list_entry, list_for_each_entry_safe_continue, tmp, and x509_put().

Referenced by efi_cacert_shutdown(), validator_append(), x509_free_chain(), and x509_test_exec().

◆ x509_found()

struct x509_certificate * x509_found ( struct x509_chain * store,
struct x509_certificate * cert )
static

Mark X.509 certificate as found.

Parameters
storeCertificate store
certX.509 certificate
Return values
certX.509 certificate

Definition at line 1726 of file x509.c.

1727 {
1728
1729 /* Sanity check */
1730 assert ( store != NULL );
1731
1732 /* Mark as found, if applicable */
1733 if ( store->found )
1734 store->found ( store, cert );
1735
1736 return cert;
1737}
x509_chain::found
void(* found)(struct x509_chain *store, struct x509_certificate *cert)
Mark certificate as found.
Definition x509.h:211

References assert, NULL, and x509_certificate::store.

Referenced by x509_find(), x509_find_issuer_serial(), x509_find_key(), and x509_find_subject().

◆ x509_find()

struct x509_certificate * x509_find ( struct x509_chain * store,
const struct asn1_cursor * raw )

Identify X.509 certificate by raw certificate data.

Parameters
storeCertificate store, or NULL to use default
rawRaw certificate data
Return values
certX.509 certificate, or NULL if not found

Definition at line 1746 of file x509.c.

1747 {
1748 struct x509_link *link;
1749 struct x509_certificate *cert;
1750
1751 /* Use default certificate store if none specified */
1752 if ( ! store )
1753 store = &certstore;
1754
1755 /* Search for certificate within store */
1756 list_for_each_entry ( link, &store->links, list ) {
1757
1758 /* Check raw certificate data */
1759 cert = link->cert;
1760 if ( asn1_compare ( raw, &cert->raw ) == 0 )
1761 return x509_found ( store, cert );
1762 }
1763
1764 return NULL;
1765}
certstore
struct x509_chain certstore
Certificate store.
Definition certstore.c:90
list_for_each_entry
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition list.h:432
x509_certificate::store
struct x509_link store
Link in certificate store.
Definition x509.h:221
x509_found
static struct x509_certificate * x509_found(struct x509_chain *store, struct x509_certificate *cert)
Mark X.509 certificate as found.
Definition x509.c:1726

References asn1_compare(), certstore, link, list_for_each_entry, NULL, raw, x509_certificate::raw, x509_certificate::store, and x509_found().

Referenced by certstore_init(), and x509_certificate().

◆ x509_find_subject()

struct x509_certificate * x509_find_subject ( struct x509_chain * store,
const struct asn1_cursor * subject )

Identify X.509 certificate by subject.

Parameters
storeCertificate store, or NULL to use default
subjectSubject
Return values
certX.509 certificate, or NULL if not found

Definition at line 1775 of file x509.c.

1776 {
1777 struct x509_link *link;
1778 struct x509_certificate *cert;
1779
1780 /* Use default certificate store if none specified */
1781 if ( ! store )
1782 store = &certstore;
1783
1784 /* Scan through certificate list */
1785 list_for_each_entry ( link, &store->links, list ) {
1786
1787 /* Check subject */
1788 cert = link->cert;
1789 if ( asn1_compare ( subject, &cert->subject.raw ) == 0 )
1790 return x509_found ( store, cert );
1791 }
1792
1793 return NULL;
1794}

References asn1_compare(), certstore, link, list_for_each_entry, NULL, x509_subject::raw, x509_certificate::store, x509_certificate::subject, and x509_found().

Referenced by x509_auto_append().

◆ x509_find_issuer_serial()

struct x509_certificate * x509_find_issuer_serial ( struct x509_chain * store,
const struct asn1_cursor * issuer,
const struct asn1_cursor * serial )

Identify X.509 certificate by issuer and serial number.

Parameters
storeCertificate store, or NULL to use default
issuerIssuer
serialSerial number
Return values
certX.509 certificate, or NULL if not found

Definition at line 1805 of file x509.c.

1807 {
1808 struct x509_link *link;
1809 struct x509_certificate *cert;
1810
1811 /* Use default certificate store if none specified */
1812 if ( ! store )
1813 store = &certstore;
1814
1815 /* Scan through certificate list */
1816 list_for_each_entry ( link, &store->links, list ) {
1817
1818 /* Check issuer and serial number */
1819 cert = link->cert;
1820 if ( ( asn1_compare ( issuer, &cert->issuer.raw ) == 0 ) &&
1821 ( asn1_compare ( serial, &cert->serial.raw ) == 0 ) )
1822 return x509_found ( store, cert );
1823 }
1824
1825 return NULL;
1826}
x509_serial::raw
struct asn1_cursor raw
Raw serial number.
Definition x509.h:26

References asn1_compare(), certstore, x509_certificate::issuer, link, list_for_each_entry, NULL, x509_issuer::raw, x509_serial::raw, serial, x509_certificate::serial, x509_certificate::store, and x509_found().

Referenced by cms_parse_identifier().

◆ x509_find_key()

struct x509_certificate * x509_find_key ( struct x509_chain * store,
struct private_key * key )

Identify X.509 certificate by corresponding public key.

Parameters
storeCertificate store, or NULL to use default
keyPrivate key
Return values
certX.509 certificate, or NULL if not found

Definition at line 1835 of file x509.c.

1836 {
1837 struct x509_link *link;
1838 struct x509_certificate *cert;
1839
1840 /* Use default certificate store if none specified */
1841 if ( ! store )
1842 store = &certstore;
1843
1844 /* Scan through certificate list */
1845 list_for_each_entry ( link, &store->links, list ) {
1846
1847 /* Check public key */
1848 cert = link->cert;
1849 if ( pubkey_match ( cert->signature_algorithm->pubkey,
1850 privkey_cursor ( key ),
1851 &cert->subject.public_key.raw ) == 0 )
1852 return x509_found ( store, cert );
1853 }
1854
1855 return NULL;
1856}
key
union @162305117151260234136356364136041353210355154177 key
Sense key.
Definition scsi.h:3
pubkey_match
static int pubkey_match(struct pubkey_algorithm *pubkey, const struct asn1_cursor *private_key, const struct asn1_cursor *public_key)
Definition crypto.h:315
privkey_cursor
static struct asn1_cursor * privkey_cursor(struct private_key *key)
Get private key ASN.1 cursor.
Definition privkey.h:53

References certstore, key, link, list_for_each_entry, NULL, privkey_cursor(), asn1_algorithm::pubkey, pubkey_match(), x509_subject::public_key, x509_public_key::raw, x509_certificate::signature_algorithm, x509_certificate::store, x509_certificate::subject, and x509_found().

Referenced by cms_keypair_okx(), cms_recipient(), and tls_new_certificate_request().

◆ x509_auto_append()

int x509_auto_append ( struct x509_chain * chain,
struct x509_chain * store )

Append X.509 certificates to X.509 certificate chain.

Parameters
chainX.509 certificate chain
storeCertificate store, or NULL to use default
Return values
rcReturn status code

Certificates will be automatically appended to the chain based upon the subject and issuer names.

Definition at line 1868 of file x509.c.

1868 {
1869 struct x509_certificate *cert;
1870 struct x509_certificate *previous;
1871 int rc;
1872
1873 /* Get current certificate */
1874 cert = x509_last ( chain );
1875 if ( ! cert ) {
1876 DBGC ( chain, "X509 chain %p has no certificates\n", chain );
1877 return -EACCES_EMPTY;
1878 }
1879
1880 /* Append certificates, in order */
1881 while ( 1 ) {
1882
1883 /* Find issuing certificate */
1884 previous = cert;
1885 cert = x509_find_subject ( store, &cert->issuer.raw );
1886 if ( ! cert )
1887 break;
1888 if ( cert == previous )
1889 break;
1890
1891 /* Append certificate to chain */
1892 if ( ( rc = x509_append ( chain, cert ) ) != 0 )
1893 return rc;
1894 }
1895
1896 return 0;
1897}
x509_find_subject
struct x509_certificate * x509_find_subject(struct x509_chain *store, const struct asn1_cursor *subject)
Identify X.509 certificate by subject.
Definition x509.c:1775
EACCES_EMPTY
#define EACCES_EMPTY
Definition x509.c:111
x509_last
static struct x509_certificate * x509_last(struct x509_chain *chain)
Get last certificate in X.509 certificate chain.
Definition x509.h:325

References DBGC, EACCES_EMPTY, x509_certificate::issuer, x509_issuer::raw, rc, x509_certificate::store, x509_append(), x509_find_subject(), and x509_last().

Referenced by cms_parse_identifier(), tls_new_certificate_request(), validator_append(), and x509_validate_chain().

◆ x509_validate_chain()

int x509_validate_chain ( struct x509_chain * chain,
time_t time,
struct x509_chain * store,
struct x509_root * root )

Validate X.509 certificate chain.

Parameters
chainX.509 certificate chain
timeTime at which to validate certificates
storeCertificate store, or NULL to use default
rootRoot certificate list, or NULL to use default
Return values
rcReturn status code

Definition at line 1908 of file x509.c.

1909 {
1910 struct x509_certificate *issuer = NULL;
1911 struct x509_link *link;
1912 int rc;
1913
1914 /* Append any applicable certificates from the certificate store */
1915 if ( ( rc = x509_auto_append ( chain, store ) ) != 0 )
1916 return rc;
1917
1918 /* Find first certificate that can be validated as a
1919 * standalone (i.e. is already valid, or can be validated as
1920 * a trusted root certificate).
1921 */
1922 list_for_each_entry ( link, &chain->links, list ) {
1923
1924 /* Try validating this certificate as a standalone */
1925 if ( ( rc = x509_validate ( link->cert, NULL, time,
1926 root ) ) != 0 )
1927 continue;
1928
1929 /* Work back up to start of chain, performing pairwise
1930 * validation.
1931 */
1932 issuer = link->cert;
1933 list_for_each_entry_continue_reverse ( link, &chain->links,
1934 list ) {
1935
1936 /* Validate this certificate against its issuer */
1937 if ( ( rc = x509_validate ( link->cert, issuer, time,
1938 root ) ) != 0 )
1939 return rc;
1940 issuer = link->cert;
1941 }
1942
1943 return 0;
1944 }
1945
1946 DBGC ( chain, "X509 chain %p found no usable certificates\n", chain );
1947 return -EACCES_USELESS;
1948}
list_for_each_entry_continue_reverse
#define list_for_each_entry_continue_reverse(pos, head, member)
Iterate over entries in a list in reverse, starting after current position.
Definition list.h:487
x509_validate
int x509_validate(struct x509_certificate *cert, struct x509_certificate *issuer, time_t time, struct x509_root *root)
Validate X.509 certificate.
Definition x509.c:1366
x509_auto_append
int x509_auto_append(struct x509_chain *chain, struct x509_chain *store)
Append X.509 certificates to X.509 certificate chain.
Definition x509.c:1868
EACCES_USELESS
#define EACCES_USELESS
Definition x509.c:123

References DBGC, EACCES_USELESS, x509_certificate::issuer, link, x509_chain::links, x509_link::list, list_for_each_entry, list_for_each_entry_continue_reverse, NULL, rc, root, x509_auto_append(), and x509_validate().

Referenced by cms_verify_signer(), validator_step(), x509_validate_chain_fail_okx(), and x509_validate_chain_okx().

◆ image_x509()

int image_x509 ( struct image * image,
size_t offset,
struct x509_certificate ** cert )

Extract X.509 certificate object from image.

Parameters
imageImage
offsetOffset within image
Return values
certX.509 certificate
nextOffset to next image, or negative error

On success, the caller holds a reference to the X.509 certificate, and is responsible for ultimately calling x509_put().

Definition at line 1961 of file x509.c.

1962 {
1963 struct asn1_cursor *cursor;
1964 int next;
1965 int rc;
1966
1967 /* Get ASN.1 object */
1968 next = image_asn1 ( image, offset, &cursor );
1969 if ( next < 0 ) {
1970 rc = next;
1971 goto err_asn1;
1972 }
1973
1974 /* Parse certificate */
1975 if ( ( rc = x509_certificate ( cursor->data, cursor->len,
1976 cert ) ) != 0 )
1977 goto err_certificate;
1978
1979 /* Free ASN.1 object */
1980 free ( cursor );
1981
1982 return next;
1983
1984 x509_put ( *cert );
1985 err_certificate:
1986 free ( cursor );
1987 err_asn1:
1988 return rc;
1989}
image_asn1
int image_asn1(struct image *image, size_t offset, struct asn1_cursor **cursor)
Extract ASN.1 object from image.
Definition asn1.c:1028
offset
uint16_t offset
Offset to command line.
Definition bzimage.h:3
next
uint32_t next
Next descriptor address.
Definition dwmac.h:11
image
An executable image.
Definition image.h:24

References asn1_cursor::data, free, image_asn1(), asn1_cursor::len, next, offset, rc, and x509_put().

Referenced by cert_exec().

◆ REQUIRING_SYMBOL()

REQUIRING_SYMBOL ( x509_validate )

References x509_validate().

◆ REQUIRE_OBJECT() [1/2]

REQUIRE_OBJECT ( certstore )

References certstore.

◆ REQUIRE_OBJECT() [2/2]

REQUIRE_OBJECT ( config_crypto )

Variable Documentation

◆ oid_common_name

uint8_t oid_common_name[] = { ASN1_OID_COMMON_NAME }
static

"commonName" object identifier

Definition at line 171 of file x509.c.

171{ ASN1_OID_COMMON_NAME };
ASN1_OID_COMMON_NAME
#define ASN1_OID_COMMON_NAME
ASN.1 OID for commonName (2.5.4.3)
Definition asn1.h:322

◆ oid_common_name_cursor

struct asn1_cursor oid_common_name_cursor
static
Initial value:
=
ASN1_CURSOR ( oid_common_name )
ASN1_CURSOR
#define ASN1_CURSOR(value)
Define an ASN.1 cursor for a static value.
Definition asn1.h:402
oid_common_name
static uint8_t oid_common_name[]
"commonName" object identifier
Definition x509.c:171

"commonName" object identifier cursor

Definition at line 174 of file x509.c.

Referenced by x509_parse_common_name().

◆ oid_code_signing

uint8_t oid_code_signing[] = { ASN1_OID_CODESIGNING }
static

"id-kp-codeSigning" object identifier

Definition at line 535 of file x509.c.

535{ ASN1_OID_CODESIGNING };
ASN1_OID_CODESIGNING
#define ASN1_OID_CODESIGNING
ASN.1 OID for id-kp-codeSigning (1.3.6.1.5.5.7.3.3)
Definition asn1.h:342

◆ oid_ocsp_signing

uint8_t oid_ocsp_signing[] = { ASN1_OID_OCSPSIGNING }
static

"id-kp-OCSPSigning" object identifier

Definition at line 538 of file x509.c.

538{ ASN1_OID_OCSPSIGNING };
ASN1_OID_OCSPSIGNING
#define ASN1_OID_OCSPSIGNING
ASN.1 OID for id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9)
Definition asn1.h:390

◆ x509_key_purposes

struct x509_key_purpose x509_key_purposes[]
static
Initial value:
= {
{
.name = "codeSigning",
.bits = X509_CODE_SIGNING,
.oid = ASN1_CURSOR ( oid_code_signing ),
},
{
.name = "ocspSigning",
.bits = X509_OCSP_SIGNING,
.oid = ASN1_CURSOR ( oid_ocsp_signing ),
},
}
oid_code_signing
static uint8_t oid_code_signing[]
"id-kp-codeSigning" object identifier
Definition x509.c:535
oid_ocsp_signing
static uint8_t oid_ocsp_signing[]
"id-kp-OCSPSigning" object identifier
Definition x509.c:538
X509_CODE_SIGNING
@ X509_CODE_SIGNING
Definition x509.h:125
X509_OCSP_SIGNING
@ X509_OCSP_SIGNING
Definition x509.h:126

Supported key purposes.

Definition at line 541 of file x509.c.

541 {
542 {
543 .name = "codeSigning",
544 .bits = X509_CODE_SIGNING,
545 .oid = ASN1_CURSOR ( oid_code_signing ),
546 },
547 {
548 .name = "ocspSigning",
549 .bits = X509_OCSP_SIGNING,
550 .oid = ASN1_CURSOR ( oid_ocsp_signing ),
551 },
552};

Referenced by x509_parse_key_purpose().

◆ oid_ad_ocsp

uint8_t oid_ad_ocsp[] = { ASN1_OID_OCSP }
static

"id-ad-ocsp" object identifier

Definition at line 647 of file x509.c.

647{ ASN1_OID_OCSP };
ASN1_OID_OCSP
#define ASN1_OID_OCSP
ASN.1 OID for id-ad-ocsp (1.3.6.1.5.5.7.48.1)
Definition asn1.h:375

◆ x509_access_methods

struct x509_access_method x509_access_methods[]
static
Initial value:
= {
{
.name = "OCSP",
.oid = ASN1_CURSOR ( oid_ad_ocsp ),
.parse = x509_parse_ocsp,
},
}
oid_ad_ocsp
static uint8_t oid_ad_ocsp[]
"id-ad-ocsp" object identifier
Definition x509.c:647
x509_parse_ocsp
static int x509_parse_ocsp(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate OCSP access method.
Definition x509.c:626

Supported access methods.

Definition at line 650 of file x509.c.

650 {
651 {
652 .name = "OCSP",
653 .oid = ASN1_CURSOR ( oid_ad_ocsp ),
654 .parse = x509_parse_ocsp,
655 },
656};

Referenced by x509_find_access_method().

◆ oid_ce_basic_constraints

uint8_t oid_ce_basic_constraints[]
static
Initial value:
=
{ ASN1_OID_BASICCONSTRAINTS }
ASN1_OID_BASICCONSTRAINTS
#define ASN1_OID_BASICCONSTRAINTS
ASN.1 OID for id-ce-basicConstraints (2.5.29.19)
Definition asn1.h:332

"id-ce-basicConstraints" object identifier

Definition at line 767 of file x509.c.

768 { ASN1_OID_BASICCONSTRAINTS };

◆ oid_ce_key_usage

uint8_t oid_ce_key_usage[]
static
Initial value:
=
{ ASN1_OID_KEYUSAGE }
ASN1_OID_KEYUSAGE
#define ASN1_OID_KEYUSAGE
ASN.1 OID for id-ce-keyUsage (2.5.29.15)
Definition asn1.h:327

"id-ce-keyUsage" object identifier

Definition at line 771 of file x509.c.

772 { ASN1_OID_KEYUSAGE };

◆ oid_ce_ext_key_usage

uint8_t oid_ce_ext_key_usage[]
static
Initial value:
=
{ ASN1_OID_EXTKEYUSAGE }
ASN1_OID_EXTKEYUSAGE
#define ASN1_OID_EXTKEYUSAGE
ASN.1 OID for id-ce-extKeyUsage (2.5.29.37)
Definition asn1.h:337

"id-ce-extKeyUsage" object identifier

Definition at line 775 of file x509.c.

776 { ASN1_OID_EXTKEYUSAGE };

◆ oid_pe_authority_info_access

uint8_t oid_pe_authority_info_access[]
static
Initial value:
=
{ ASN1_OID_AUTHORITYINFOACCESS }
ASN1_OID_AUTHORITYINFOACCESS
#define ASN1_OID_AUTHORITYINFOACCESS
ASN.1 OID for id-pe-authorityInfoAccess (1.3.6.1.5.5.7.1.1)
Definition asn1.h:368

"id-pe-authorityInfoAccess" object identifier

Definition at line 779 of file x509.c.

780 { ASN1_OID_AUTHORITYINFOACCESS };

◆ oid_ce_subject_alt_name

uint8_t oid_ce_subject_alt_name[]
static
Initial value:
=
{ ASN1_OID_SUBJECTALTNAME }
ASN1_OID_SUBJECTALTNAME
#define ASN1_OID_SUBJECTALTNAME
ASN.1 OID for id-ce-subjectAltName (2.5.29.17)
Definition asn1.h:397

"id-ce-subjectAltName" object identifier

Definition at line 783 of file x509.c.

784 { ASN1_OID_SUBJECTALTNAME };

◆ x509_extensions

struct x509_extension x509_extensions[]
static
Initial value:
= {
{
.name = "basicConstraints",
.oid = ASN1_CURSOR ( oid_ce_basic_constraints ),
.parse = x509_parse_basic_constraints,
},
{
.name = "keyUsage",
.oid = ASN1_CURSOR ( oid_ce_key_usage ),
.parse = x509_parse_key_usage,
},
{
.name = "extKeyUsage",
.oid = ASN1_CURSOR ( oid_ce_ext_key_usage ),
.parse = x509_parse_extended_key_usage,
},
{
.name = "authorityInfoAccess",
.oid = ASN1_CURSOR ( oid_pe_authority_info_access ),
.parse = x509_parse_authority_info_access,
},
{
.name = "subjectAltName",
.oid = ASN1_CURSOR ( oid_ce_subject_alt_name ),
.parse = x509_parse_subject_alt_name,
},
}
oid_ce_basic_constraints
static uint8_t oid_ce_basic_constraints[]
"id-ce-basicConstraints" object identifier
Definition x509.c:767
oid_ce_ext_key_usage
static uint8_t oid_ce_ext_key_usage[]
"id-ce-extKeyUsage" object identifier
Definition x509.c:775
x509_parse_basic_constraints
static int x509_parse_basic_constraints(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate basic constraints.
Definition x509.c:438
x509_parse_subject_alt_name
static int x509_parse_subject_alt_name(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate subject alternative name.
Definition x509.c:746
x509_parse_authority_info_access
static int x509_parse_authority_info_access(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate authority information access.
Definition x509.c:719
oid_ce_subject_alt_name
static uint8_t oid_ce_subject_alt_name[]
"id-ce-subjectAltName" object identifier
Definition x509.c:783
oid_ce_key_usage
static uint8_t oid_ce_key_usage[]
"id-ce-keyUsage" object identifier
Definition x509.c:771
x509_parse_key_usage
static int x509_parse_key_usage(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate key usage.
Definition x509.c:500
x509_parse_extended_key_usage
static int x509_parse_extended_key_usage(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate extended key usage.
Definition x509.c:600
oid_pe_authority_info_access
static uint8_t oid_pe_authority_info_access[]
"id-pe-authorityInfoAccess" object identifier
Definition x509.c:779

Supported certificate extensions.

Definition at line 787 of file x509.c.

787 {
788 {
789 .name = "basicConstraints",
790 .oid = ASN1_CURSOR ( oid_ce_basic_constraints ),
791 .parse = x509_parse_basic_constraints,
792 },
793 {
794 .name = "keyUsage",
795 .oid = ASN1_CURSOR ( oid_ce_key_usage ),
796 .parse = x509_parse_key_usage,
797 },
798 {
799 .name = "extKeyUsage",
800 .oid = ASN1_CURSOR ( oid_ce_ext_key_usage ),
801 .parse = x509_parse_extended_key_usage,
802 },
803 {
804 .name = "authorityInfoAccess",
805 .oid = ASN1_CURSOR ( oid_pe_authority_info_access ),
806 .parse = x509_parse_authority_info_access,
807 },
808 {
809 .name = "subjectAltName",
810 .oid = ASN1_CURSOR ( oid_ce_subject_alt_name ),
811 .parse = x509_parse_subject_alt_name,
812 },
813};
Generated by doxygen 1.14.0